Ukraine Confirms APT28 Campaign Targeting Prosecutors and Anti-Corruption Agencies

Overview

Ukraine's Computer Emergency Response Team (CERT-UA) has confirmed an active espionage campaign attributed to APT28 (also known as Fancy Bear and Forest Blizzard), a threat actor associated with Russia's GRU military intelligence directorate. The campaign targets Ukrainian prosecutors and anti-corruption agencies, leveraging vulnerabilities in the widely used Roundcube open-source webmail platform.

The intrusions are particularly alarming because they require no user interaction beyond opening an email — malicious code executes automatically upon message viewing, with no attachment clicks or link visits required.

Campaign Details

CERT-UA confirmed the campaign is actively ongoing as of April 2026 and has notified affected organizations. The attackers targeted personnel at institutions involved in:

Prosecutorial agencies handling war crimes and national security cases
Anti-corruption bodies investigating government misconduct
Legal and judicial entities with access to sensitive case materials

The targeting pattern is consistent with APT28's documented focus on Ukrainian government institutions and high-value intelligence targets related to the ongoing conflict.

Technical Exploitation: Roundcube Vulnerabilities

The attack chain exploits vulnerabilities in Roundcube, an open-source webmail client used by many Ukrainian government organizations. The specific flaws allow:

Zero-interaction code execution — malicious JavaScript or server-side code executes when the victim's browser renders the email in the Roundcube interface
Session hijacking — the attacker can capture the victim's webmail session token
Email exfiltration — access to the victim's inbox and sent mail is established silently
Address book harvesting — contacts are extracted for further spear-phishing

Attack chain:
1. APT28 crafts malicious email exploiting Roundcube rendering vulnerability
2. Email delivered to target's inbox (no spam filtering bypass required)
3. Victim opens email in Roundcube webmail
4. Malicious payload executes in victim's browser context
5. Session token captured — attacker gains authenticated access
6. Emails, contacts, and attachments silently exfiltrated
7. Lateral movement: harvested contacts used for further targeting

APT28 Background

APT28 (also tracked as Fancy Bear, STRONTIUM, Forest Blizzard, and Pawn Storm) is one of the most prolific and technically sophisticated state-sponsored threat actors in operation. The group:

Operates under the direction of Russia's GRU Unit 26165
Has been active since at least 2004
Has previously targeted NATO governments, election infrastructure, and defence contractors
Has a history of exploiting Roundcube and other open-source webmail platforms in campaigns against government targets

Previous APT28 Roundcube campaigns have targeted foreign ministries, embassies, and military organizations across Europe and Central Asia.

Why This Campaign Is Significant

The targeting of anti-corruption agencies and prosecutors reveals the strategic motivation behind the attack: intelligence collection on ongoing investigations that could implicate Russian state actors or expose collaboration networks. Access to prosecutorial communications could:

Reveal the identities of witnesses or informants in war crimes investigations
Expose evidence collection strategies before indictments
Allow Russia to anticipate or undermine legal proceedings at international tribunals

The zero-interaction nature of the Roundcube exploit makes mass targeting feasible — a single malicious email sent to an entire organization can silently compromise all recipients who open it.

Recommendations

Organizations using Roundcube webmail should act immediately:

Patch Roundcube — update to the latest stable release which addresses known XSS and code execution vulnerabilities
Audit webmail server logs — review for anomalous JavaScript execution, unexpected redirects, or unusual outbound connections
Enable content security policies (CSP) on webmail servers to restrict inline script execution
Implement multi-factor authentication on all webmail access — session hijacking is significantly mitigated with MFA
Migrate to modern webmail — consider migrating to alternatives with stronger sandboxing and more frequent security patching
Conduct phishing awareness training — although this attack requires no user interaction beyond email opening, user awareness of suspicious email origins remains a first-line defence
Network monitoring — deploy NDR solutions to detect unusual data exfiltration patterns from webmail servers

References

Overview

Campaign Details

CERT-UA confirmed the campaign is actively ongoing as of April 2026 and has notified affected organizations. The attackers targeted personnel at institutions involved in:

Prosecutorial agencies handling war crimes and national security cases
Anti-corruption bodies investigating government misconduct
Legal and judicial entities with access to sensitive case materials

The targeting pattern is consistent with APT28's documented focus on Ukrainian government institutions and high-value intelligence targets related to the ongoing conflict.

Technical Exploitation: Roundcube Vulnerabilities

The attack chain exploits vulnerabilities in Roundcube, an open-source webmail client used by many Ukrainian government organizations. The specific flaws allow:

Zero-interaction code execution — malicious JavaScript or server-side code executes when the victim's browser renders the email in the Roundcube interface
Session hijacking — the attacker can capture the victim's webmail session token
Email exfiltration — access to the victim's inbox and sent mail is established silently
Address book harvesting — contacts are extracted for further spear-phishing

Attack chain:
1. APT28 crafts malicious email exploiting Roundcube rendering vulnerability
2. Email delivered to target's inbox (no spam filtering bypass required)
3. Victim opens email in Roundcube webmail
4. Malicious payload executes in victim's browser context
5. Session token captured — attacker gains authenticated access
6. Emails, contacts, and attachments silently exfiltrated
7. Lateral movement: harvested contacts used for further targeting

APT28 Background

Operates under the direction of Russia's GRU Unit 26165
Has been active since at least 2004
Has previously targeted NATO governments, election infrastructure, and defence contractors
Has a history of exploiting Roundcube and other open-source webmail platforms in campaigns against government targets

Previous APT28 Roundcube campaigns have targeted foreign ministries, embassies, and military organizations across Europe and Central Asia.

Why This Campaign Is Significant

Reveal the identities of witnesses or informants in war crimes investigations
Expose evidence collection strategies before indictments
Allow Russia to anticipate or undermine legal proceedings at international tribunals

The zero-interaction nature of the Roundcube exploit makes mass targeting feasible — a single malicious email sent to an entire organization can silently compromise all recipients who open it.

Recommendations

Organizations using Roundcube webmail should act immediately:

Patch Roundcube — update to the latest stable release which addresses known XSS and code execution vulnerabilities
Audit webmail server logs — review for anomalous JavaScript execution, unexpected redirects, or unusual outbound connections
Enable content security policies (CSP) on webmail servers to restrict inline script execution
Implement multi-factor authentication on all webmail access — session hijacking is significantly mitigated with MFA
Migrate to modern webmail — consider migrating to alternatives with stronger sandboxing and more frequent security patching
Conduct phishing awareness training — although this attack requires no user interaction beyond email opening, user awareness of suspicious email origins remains a first-line defence
Network monitoring — deploy NDR solutions to detect unusual data exfiltration patterns from webmail servers

Ukraine Confirms APT28 Campaign Targeting Prosecutors and Anti-Corruption Agencies

Overview

Campaign Details

Technical Exploitation: Roundcube Vulnerabilities

APT28 Background

Why This Campaign Is Significant

Recommendations

References

Russia's Forest Blizzard Harvests Logins via SOHO Router DNS Poisoning

APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

APT28 Weaponizes Microsoft Office Zero-Day in 3 Days

Ukraine Confirms APT28 Campaign Targeting Prosecutors and Anti-Corruption Agencies

Overview

Campaign Details

Technical Exploitation: Roundcube Vulnerabilities

APT28 Background

Why This Campaign Is Significant

Recommendations

References

Russia's Forest Blizzard Harvests Logins via SOHO Router DNS Poisoning

APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

APT28 Weaponizes Microsoft Office Zero-Day in 3 Days