Amid the ongoing conflict between Russia and Ukraine, the digital battlefield remains just as active as the one on the ground. Researchers have identified a sophisticated and ongoing global hacking campaign known as "Operation RoundPress" as a disturbing escalation of cyberespionage activity. As part of the campaign, high-profile government entities across multiple nations have been targeted to intercept sensitive communications via webmail servers, which have been targeted strategically. 

New research from cybersecurity firm ESET indicates that attackers have been exploiting both zero-day vulnerabilities, which were previously unknown security flaws, and n-day vulnerabilities that have been known for a long time but are still unpatched on the targeted systems, according to the report. APT28, a well-known Russian state-sponsored threat actor also known as Fancy Bear or Sednit, has been attributed to the campaign with moderate confidence by ESET. 

There is no doubt that the group, which is thought to operate under the direction of Russia's military intelligence agency, GRU, is a very well-known cyber-attack organisation known for its high-profile cyber intrusions into foreign elections and for gathering information about political and military targets. The APT28 hacker group, also known as Fancy Bear, Sednit, and Sofacy, is among the most infamous and persistent state-sponsored hacking groups in the world today.

It has been said that APT28 has been connected to numerous high-impact cyber operations over the last two decades, and it is believed to be closely related to the Russian military intelligence agency (GRU). There has previously been international scrutiny relating to this group for its involvement in the 2016 Democratic National Committee (DNC) hack, as well as the TV5Monde cyberattack and numerous cyber-espionage campaigns that target governmental institutions and defence agencies across several continents. 

Operation RoundPress, the latest campaign in which the group appears to have intensified its efforts to steal sensitive information from targeted email accounts, is the focus of the group's latest campaign. Specifically, Matthieu Faou, an ESET researcher, stated that the operation was designed to collect confidential information, particularly from organisations with significant strategic or geopolitical significance. 

The majority of victims are governmental entities and defence companies, Faou explained, whereas government officials in Africa, Europe, and South America have also been targeted. Considering the broad range of targets that APT28 has deployed and the carefully curated nature of its targeting pattern, it is clear that APT28's operation continues to advance the intelligence gathering objectives of the Russian government by using cyberspace. 

It is evident from the group's ability to adapt its techniques and pivot to new geographical regions not only that it has advanced in technological sophistication, but also how extensive modern state-sponsored cyber threats are around the world. As of 2023, Operation RoundPress has been ongoing since then, with threat actors constantly evolving their techniques and adopting new exploits to breach a wide range of popular open-source and commercial webmail platforms until 2024.

There are a number of these tools, such as Roundcube, Horde, MDaemon, and Zimbra, all widely used in government and business settings. As a result of the campaign's global reach and methodical exploitation of email infrastructure, it is clear that it is intended to obtain persistent access to important government communications. This demonstrates the persistent threat that nation-state-backed hacking groups pose in today's volatile geopolitical environment, reinforced by their adaptability and persistence.

A detailed analysis of Sednit's cyber operations reveals that it has intensified its operations against Ukrainian targets, deploying advanced intrusion techniques to gain intelligence and disrupt systems. The group has been in the news for quite some time; in 2016, the U.S. Department of Justice publicly accused the group of orchestrating the hacking of the Democratic National Committee (DNC), leading up to the U.S. presidential election—an incident which demonstrated the geopolitical consequences of cyber warfare in the twenty-first century. 

In "Operation RoundPress", the state-backed digital threats that are emerging are exemplified, showing how cyberattacks are now increasingly being deployed as strategic weapons in international conflicts. As a result of this latest cyberattack, Russia has continued to engage in aggressive cyber warfare. It is aligned closely with the Russian political objectives, reinforcing the urgent need for robust cybersecurity measures on a global scale, which is a key factor in their success. 

Researchers were first able to recognise Operation RoundPress, a sophisticated cyber-espionage campaign linked to the Russian state-linked group Sednit (also known as APT28 or Fancy Bear) in the year 2023, when they first identified it. At first, the attackers exploited a known vulnerability in the open-source webmail application Roundcube - CVE-2020-35730. However, by 2024, the attackers were able to expand the scope of the attack and the technical sophistication of the campaign by a significant amount.

In addition, the threat actors have begun exploiting other vulnerabilities, including a zero-day vulnerability (CVE-2024-11182) affecting the MDaemon webmail platform, which proves their ability to continue adapting and evolving in real-time as the attacks are evolving. It is common for attackers to use spearphishing emails embedded with cross-site scripting exploits (XSS) in order to compromise a system. 

It has been carefully crafted to trigger the execution of malicious JavaScript payloads when the email is viewed in a webmail client which is vulnerable to this attack. Through this tactic, attackers can gain long-term access to sensitive communications, such as email credentials, message content, contact lists, or even bypass two-factor authentication (2FA) protections, and this allows them long-term access to sensitive data without any detection on their part. 

As ESET researchers, who discovered and analysed Operation RoundPress with high confidence, they believe it is the result of Sednit. Based on the infrastructure overlaps, phishing techniques, and code-level similarities with previously documented operations related to Sednit, they make this conclusion with medium confidence. 

According to their research, the primary targets of this attack have been governmental agencies and defence contractors throughout Eastern Europe, particularly those involved in the ongoing conflict in Ukraine. However, the campaign has also extended its reach to include several European Union member states. In addition, incidents have been observed in Africa, South America, and several EU countries, proving that the campaign has global ambitions while reinforcing concerns about the growing threat of nation-state cyber activity. 

In the wake of Operation RoundPress, state-sponsored threat actors are exploiting a number of long-standing weaknesses in widely used webmail platforms in order to gain access to high-value targets. It is evident from this campaign's success that multiple cross-site scripting (XSS) vulnerabilities were used to stealthily inject malicious JavaScript payloads into routine email communications, which was one of the key factors in the campaign's success. 

In addition to exploiting the vulnerabilities in several commercial and open-source webmail systems, the attackers were able to gain access to sensitive data and user credentials, and even circumvent multi-factor authentication mechanisms, as well. The ESET researchers who have thoroughly analysed Operation RoundPress have identified a variety of known and unknown vulnerabilities that will be exploited in the campaign: 

CVE-2020-35730 – Roundcube: It was first exploited in 2023 to take advantage of a stored XSS vulnerability that allowed attackers to embed malicious JavaScript directly into emails' bodies. The script ran automatically whenever the user opened the message through the Roundcube interface, allowing the user to steal credentials as well as hijack their sessions. 

This CVE-2023-43770 vulnerability related to improper sanitisation of hyperlink text and improper insertion of script tags into the email content allowed the attackers to take advantage of this vulnerability in early 2024 and exploit it by inserting script tags into the email content to get the malicious code to run when it was viewed. 

MGaemon - CVE-2024-11182: Among the main targets caught by MDaemon's HTML parser in 2024 was a zero-day vulnerability identified in July 2008. The vulnerability involved creating a malicious title attribute using a noembed tag and hiding a JavaScript payload within an MGaemon file called an image onerror handler. A team of attackers used this technique in order to extract credentials, bypass two-factor authentication, and establish persistent access using App Passwords as a mechanism to defeat two-factor authentication. 

Horde - Unspecified XSS: Along with the Horde XSS issue, APT28 also attempted to exploit an older XSS problem in Horde's mail system. They used XSS (XSS exploiting XSS on an image error) to execute the attack. However, it failed due to improved input filtering in the newer Horde releases. Researchers have not yet been able to identify the exact CVE model, but the vulnerability is believed to have been fixed since then. 

A previously unknown exploit in Zimbra's calendar module has been exploited by attackers using CVE-2024-27443. The attacker exploited an XSS flaw to exploit the vulnerability. By injecting unsanitized input via the header, which is X-Zimbra-Calendar-Intended-For, APT28 was able to embed an executable JavaScript payload in calendar invitations that would execute upon viewing when the invitation was viewed. 

ESET's investigation revealed that no evidence of Operation RoundPress activity in 2025 was found, however, researchers warn that the techniques used, particularly those that utilised XSS, remain highly relevant. In an era where new vulnerabilities are constantly exposed in webmail clients, the danger of similar attacks is high as new vulnerabilities are continuously discovered. 

Throughout the campaign, it is a powerful reminder that the ongoing need for vigilant patching, secure coding, and layers of email security is essential for protecting against nation-state attacks. It is important to keep in mind that the revelations surrounding Operation RoundPress underscore an important reality: the cyber threat landscape is evolving faster than many organisations are capable of adjusting to. 

It is becoming increasingly evident that cybersecurity is not merely a technical issue anymore; it is a matter of national resilience and strategic foresight that is being exploited by state-sponsored adversaries like APT28. Since then, it has become increasingly clear that cybersecurity is more than a technical issue. The government, the defence industry, and corporations must reevaluate the robustness of their digital ecosystems, especially those underlying communication and collaboration, in light of these developments. 

There is no longer any question that proactive threat detection, meticulous patch management, and zero-trust architectures must be prioritised. Furthermore, because the sophistication of these campaigns keeps growing, we must strengthen international cooperation, share intelligence, and invest in next-generation security solutions. The launch of Operation RoundPress has acted as a wake-up call for companies operating in high-risk sectors: companies that are willing to be vigilant, quick, and adaptable have now become essential components of any serious defence against Cybercrime.