Security News > 2023 > June > Russian APT28 hackers breach Ukrainian govt email servers

A threat group tracked as APT28 and linked to Russia's General Staff Main Intelligence Directorate has breached Roundcube email servers belonging to multiple Ukrainian organizations, including government entities.
In these attacks, the cyber-espionage group leveraged news about the ongoing conflict between Russia and Ukraine to trick recipients into opening malicious emails that would exploit Roundcube Webmail vulnerabilities to hack into unpatched servers.
After breaching the email servers, the Russian military intelligence hackers deployed malicious scripts that redirected the incoming emails of targeted individuals to an email address under the attackers' control.
"We identified BlueDelta activity highly likely targeting a regional Ukrainian prosecutor's office and a central Ukrainian executive authority, as well as reconnaissance activity involving additional Ukrainian government entities and an organization involved in Ukrainian military aircraft infrastructure upgrade and refurbishment," the Insikt Group said.
Notably, Recorded Future says this campaign overlaps with previous attacks linked to APT28 when they exploited a critical Microsoft Outlook zero-day vulnerability to target European organizations in attacks that also didn't require user interaction.
Google's Threat Analysis Group also recently revealed that roughly 60% of all phishing emails targeting Ukraine in the first quarter of 2023 were sent by Russian attackers, with the APT28 hacking group one of the major contributors to this malicious activity.
News URL
Related news
- Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector (source)
- Silk Typhoon hackers now target IT supply chains to breach networks (source)
- Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits (source)
- Live Ransomware Demo: See How Hackers Breach Networks and Demand a Ransom (source)
- Kaspersky Links Head Mare to Twelve, Targeting Russian Entities via Shared C2 Servers (source)
- Oracle denies breach after hacker claims theft of 6 million data records (source)
- Chinese Hackers Breach Asian Telecom, Remain Undetected for Over 4 Years (source)
- StreamElements discloses third-party data breach after hacker leaks data (source)
- Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp (source)
- Hackers lurked in Treasury OCC’s systems since June 2023 breach (source)