Ukrainian Officials Acknowledge Ongoing Russian Espionage Campaign
A senior Ukrainian cyber official has publicly confirmed that multiple government agencies were targeted in a sustained cyber-espionage operation attributed to a Russian state-linked threat actor. Taras Dzyuba, head of the information communications department at Ukraine's State Service of Special Communications and Information Protection (SSSCIP), spoke with Recorded Future News and acknowledged that authorities had been aware of the attacks for some time.
The confirmation follows a Reuters report published earlier this week revealing that hackers with ties to Russia had infiltrated more than 170 email accounts belonging to prosecutors and investigators across Ukraine over recent months. Dzyuba indicated that the activity described in that report appears to be one component of a broader campaign that Ukrainian authorities have been actively monitoring since 2023.
Three Waves of Intrusions Identified by CERT-UA
Ukraine's computer emergency response team, CERT-UA, has tracked and identified three distinct waves of attacks that investigators believe are connected to the same overarching operation. The intrusions share a common technical hallmark: the exploitation of vulnerabilities in the widely used open-source Roundcube webmail platform.
These vulnerabilities are particularly dangerous because they allow attackers to execute malicious code on a victim's device simply by having the target open a specially crafted email. No clicks on links or downloads of attachments are required, significantly lowering the barrier to successful compromise and making detection more difficult for end users.
CERT-UA has previously documented multiple APT28 attacks leveraging Roundcube vulnerabilities, indicating this is an established and recurring tactic for the group.
Attribution to APT28 and the GRU
Researchers at Ctrl-Alt-Intel, whose findings were cited in the Reuters report, formally attributed the campaign to the hacking collective known as APT28 — a group that also operates under the aliases Fancy Bear, BlueDelta, and Forest Blizzard. Western governments and leading cybersecurity firms widely assess APT28 as operating under the direction of Russia's military intelligence agency, the GRU.
Dzyuba confirmed that all indicators identified by Ukrainian authorities are consistent with this attribution, aligning the SSSCIP's assessment with that of independent researchers.
Geographic Scope Extends Beyond Ukraine
According to the Ctrl-Alt-Intel report, the overwhelming majority of victims in the latest campaign were located in Ukraine. However, a subset of compromised accounts were linked to neighboring NATO member states and Balkans countries, including Romania, Bulgaria, Greece, and Serbia. This broader geographic targeting underscores the campaign's potential strategic implications beyond Ukrainian borders alone.
Anti-Corruption Agencies Among Those Targeted
Several high-profile Ukrainian institutions were reportedly affected by the operation. Among them were the Specialized Anti-Corruption Prosecutor's Office (SAP) and the Asset Recovery and Management Agency (ARMA), the body responsible for managing assets seized from criminals and individuals who collaborated with Russia.
ARMA's acting head, Yaroslava Maksymenko, confirmed on Thursday that the agency's employees had been targeted in a Russian cyberattack. However, she stressed that the attackers did not succeed in penetrating ARMA's internal infrastructure.
"The review established that no access to internal information systems was obtained, and no data leak from databases or state information resources occurred," Maksymenko stated in remarks to the Interfax-Ukraine news agency.
SAP, for its part, announced earlier this week that it had initiated an internal review following reports that Russian hackers had breached dozens of email accounts belonging to Ukrainian law enforcement personnel, including SAP staff. As of the time of reporting, investigators had not uncovered evidence that data was exfiltrated from SAP systems, though that review remains ongoing.
Potential for Disinformation Exploitation
Beyond the immediate intelligence-gathering implications, Dzyuba warned of a secondary threat posed by these intrusions. He noted that some information allegedly stolen from several Ukrainian state agencies during these attacks was published online in early March, though he assessed that the leaked material was unlikely to include genuinely confidential data.
More concerning, in Dzyuba's view, is Russia's potential use of these cyber incidents as raw material for disinformation campaigns designed to discredit Ukrainian institutions — particularly agencies involved in anti-corruption efforts and asset recovery. The strategic targeting of SAP and ARMA, bodies central to Ukraine's accountability mechanisms, suggests the campaign may serve political and information-warfare objectives alongside traditional espionage goals.
A Pattern of Targeting Ukrainian Infrastructure
This latest confirmed campaign fits within a well-documented pattern of Russian cyber operations against Ukrainian government entities. APT28 has repeatedly demonstrated an interest in Ukrainian civil and law enforcement institutions, using technical exploits combined with broader influence operations to maximize impact. The Roundcube vulnerabilities, exploited across multiple waves dating back to at least 2023, represent a persistent and evolving toolkit that the group continues to refine and deploy against high-value targets.
Ukrainian authorities have not disclosed the specific CVE identifiers associated with the Roundcube vulnerabilities exploited in this campaign, but the recurring nature of such attacks highlights the importance of keeping webmail platforms and related software fully patched and subject to rigorous security monitoring.
Source: The Record