Cyber Threat Report: 'Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign'

The Insikt Group has observed the TAG-70 using cross-site scripting (XSS) vulnerabilities to target Roundcube webmail servers in Europe. The group's focus is on government, military, and national infrastructure-related entities. The observed activities overlap with those reported by other security vendors under aliases of Winter Vivern, TA473, and UAC0114. The group likely serves the interests of Belarus and Russia and has been active since at least December 2020, with primary targets in European and Central Asian governments. In their most recent campaign, TAG-70 began exploiting Roundcube webmail servers around October 2023. At least 80 organizations were targeted, primarily in Georgia, Poland, and Ukraine. This campaign is linked to TAG70's activity against Uzbekistan government mail servers, previously reported by Insikt Group in February 2023.

Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Password Policies

Set and enforce secure password policies for accounts.

Application Developer Guidance

This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

Active Directory Configuration

Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.

Account Use Policies

Configure features related to account use like login attempt lockouts, specific login times, etc.

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...

Encrypt Sensitive Information

Protect sensitive information with strong encryption.

Exploit Protection

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Application Isolation and Sandboxing

Restrict execution of code to a virtual environment on or in transit to an endpoint system.

Threat Intelligence Program

A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.

Update Software

Perform regular software updates to mitigate exploitation risk.

Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.

Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.