TAG-70 Spying Campaign Targets Europe, Iran

The ongoing war in Ukraine has intensified an already complex world of cyberwarfare, and groups like TAG-70 underscore the urgent need to counter state-sponsored espionage actors. Also operating under names like Winter Vivern, TA473, and UAC-0114, TAG-70 has conducted sustained operations since at least December 2020, likely serving Belarusian and Russian interests by targeting government, military, and critical infrastructure within Europe and Central Asia. This threat actor, identified by Recorded Future’s Insikt Group, leverages sophisticated techniques to infiltrate and exploit, revealing a saga of digital warfare that transcends borders and breaches the most guarded of domains.

Since December 2020, TAG-70 has meticulously targeted government, military, and national infrastructure, employing cross-site scripting vulnerabilities against Roundcube webmail servers. This strategic choice of targets underscores a narrative of espionage aimed at unraveling the political and military fabrics of Europe and Central Asia, serving the clandestine interests of Belarus and Russia.

TAG-70’s October 2023 Roundcube exploitation campaign attack flow (Source: Recorded Future)

TAG-70 threat actor showcases advanced technical capabilities, leveraging multiple attack methods:

• Phishing and Impersonation: By creating carefully crafted lures and mimicking credible organizations, TAG-70 tricks victims into surrendering sensitive information or downloading malware.
• Zero-Day Exploitation: Their recent exploitation of a zero-day vulnerability (CVE-2023-5631) in Roundcube webmail underscores TAG-70’s willingness to capitalize on previously unknown software flaws to breach defenses.
• Psychological Manipulation: TAG-70 leverages social engineering tactics to increase susceptibility. Their attacks may be tailored to specific targets, manipulating trust to achieve greater results.

The targeting of entities in Georgia, Poland, Ukraine, and even Iran’s embassies underscores the geopolitical motivations driving TAG-70’s espionage activities. TAG-70’s careful selection of victims sheds light on their geopolitical motivations:

• Disrupting Ukraine & NATO Response: Compromising Ukrainian and allied government/military communication channels is strategically advantageous. Disrupting aid coordination and exposing war planning would provide an information edge.
• Regional Intelligence Gathering: Infiltrating mail servers of Eastern European countries like Georgia and Poland potentially reveals internal tensions or insights into evolving diplomatic alignments.
• Iranian Espionage: In light of Iran’s growing support for Russia, TAG-70’s actions highlight a desire to monitor diplomatic activity and assess current policy initiatives between these nations.

TAG-70’s operations serve as a stark reminder that advanced threat actors present not just localized risk but a growing threat to global interconnectivity.