What happened
Ukrainian authorities have confirmed that several government agencies were targeted in a long-running cyber-espionage campaign that Ukrainian officials believe is linked to APT28, the Russian military intelligence-affiliated group also known as Fancy Bear, BlueDelta, and Forest Blizzard. Taras Dzyuba, head of the information communications department at Ukraine’s State Service of Special Communications and Information Protection, said the activity aligns with a broader campaign that Ukrainian authorities have tracked since 2023, with CERT-UA identifying three waves of attacks believed to form part of the same operation. The intrusions exploited vulnerabilities in the open-source Roundcube webmail platform, allowing attackers to execute malicious code when a victim simply opens an email, no click or download required. More than 170 email accounts belonging to Ukrainian prosecutors and investigators were reportedly compromised. Among the affected institutions are the Specialized Anti-Corruption Prosecutor’s Office and the Asset Recovery and Management Agency, which manages assets seized from criminals and Russian collaborators. ARMA confirmed its employees were targeted but said attackers did not access internal systems or databases. SAP said it has launched a review and found no evidence of data theft so far, though the investigation is ongoing. Some data allegedly stolen from Ukrainian state agencies was published online in March, though Dzyuba said the leaked material was unlikely to contain confidential information. Ukrainian officials also warned that Russia may use the intrusions as a basis for disinformation campaigns aimed at discrediting Ukrainian institutions.
Who is affected
Ukrainian prosecutors, investigators, and anti-corruption agency staff are the primary confirmed targets. Compromised accounts were also linked to personnel in neighboring NATO countries and the Balkans, including Romania, Bulgaria, Greece, and Serbia. Organizations using Roundcube as a webmail platform face broader exposure given the zero-interaction nature of the exploit.
Why CISOs should care
A zero-interaction email exploit, one that executes on open rather than requiring a click, is among the most difficult attack vectors to defend against through user awareness alone. The Roundcube vulnerabilities at the center of this campaign have now been linked to multiple APT28 operations over several years, making them a reliable indicator of ongoing risk for any organization still running unpatched instances. The campaign’s expansion beyond Ukraine into NATO-adjacent countries signals that the targeting scope is widening.
3 practical actions
- Audit Roundcube deployments immediately: Identify any instances of the Roundcube webmail platform in use across your organization or supply chain and confirm they are patched against the vulnerabilities exploited in this campaign.
- Treat zero-interaction email exploits as a priority threat model: Review whether your email security controls — including sandboxing, content inspection, and server-side rendering — are capable of catching malicious payloads that trigger on message open rather than on user interaction.
- Assess exposure in NATO-adjacent and Eastern European operations: Organizations with staff, partners, or infrastructure in Romania, Bulgaria, Greece, Serbia, or Ukraine should review account security and access controls for those environments given the confirmed geographic spread of this campaign.
For more news about disruptive intrusions affecting business operations, click Cyberattack to read more.