Russia Is Reading the Emails of Ukraine's Top Anti-Corruption Prosecutors—No Click Required

Ukraine's Computer Emergency Response Team confirmed this week that Russian military intelligence operators compromised more than 170 email accounts belonging to Ukrainian prosecutors and investigators, including staff at the Specialized Anti-Corruption Prosecutor's Office and the Asset Recovery and Management Agency—the two institutions most responsible for prosecuting corruption and seizing assets tied to Russian collaborators.

The attackers did not need a single prosecutor to click anything. The exploit fired the moment the email was opened.

What CERT-UA Documented

CERT-UA traced three distinct waves of intrusion activity attributed to APT28, the Russia-linked group also known as Fancy Bear, BlueDelta, and Forest Blizzard. Security researchers at Ctrl-Alt-Intel, who independently confirmed the attribution, documented 284 compromised inboxes across Ukrainian government institutions between September 2024 and March 2026. The 170+ figure cited by Ukrainian officials refers specifically to prosecutor and investigator accounts—the most sensitive subset of victims.

The targets were not random. Among the confirmed compromised institutions:

• Specialized Anti-Corruption Prosecutor's Office (SAP) — the office responsible for prosecuting high level officials and oligarchs suspected of corruption tied to Russian interests
• Asset Recovery and Management Agency (ARMA) — the body that administers physical and financial assets seized from criminals and Russian collaborators, worth billions of dollars
• Multiple local government agencies across Ukraine

Spillover reached beyond Ukraine's borders. Some compromised accounts belonged to personnel in Romania, Bulgaria, Greece, and Serbia—NATO member states and Balkan partners whose law enforcement and intelligence services coordinate with Ukraine on Russian sanction evasion cases.

By March 2026, portions of the stolen material had already been published on anonymous leak channels.

The Attack Vector: Roundcube Without a Click

What makes this campaign technically notable is the exploit path. Roundcube is an open source webmail client used by thousands of small and medium organizations, NGOs, law firms, regional governments, and hosting providers that cannot afford or do not trust commercial suites like Microsoft 365. It is the default webmail on many Linux server distributions and is particularly common in Eastern Europe and the Balkans.

APT28's operators chained Roundcube vulnerabilities that allow remote code execution when a user merely opens a malicious email. No link click. No attachment download. The relevant CVEs include:

• CVE-2025-49113 — a post authentication remote code execution flaw with a CVSS score of 9.9, affecting Roundcube versions 1.1.0 through 1.6.10. Patched on June 1, 2025. Proof of concept exploit code was published within days of the patch, and CISA added it to the Known Exploited Vulnerabilities catalog.
• CVE-2025-68461 — a cross site scripting flaw via the animate tag in SVG documents, affecting versions before 1.5.12 and 1.6.12. Patched in December 2025.
• CVE-2026-26079 — a CSS injection vulnerability reported by CERT Polska, affecting versions before 1.5.13 and 1.6.13.

The pattern matters: this is a sustained campaign mapped directly onto Roundcube's disclosure timeline. Each time a new vulnerability gets patched, APT28 pivots to the next one. Any organization running a self hosted Roundcube instance that is more than one patch cycle behind is exposed to the same exploit chain that just compromised Ukraine's anti-corruption apparatus.

Why the Prosecutor Target List Is the Point

In the context of Russia's war against Ukraine, anti-corruption prosecutors are not just government employees. They hold the most sensitive material in the country:

• Witness statements from individuals cooperating against Russian aligned oligarchs
• Financial intelligence mapping sanctioned assets and the shell companies hiding them
• Internal correspondence between prosecutors coordinating cross border cases with partner agencies
• Classified source communications with journalists and whistleblowers
• Case strategy documents that can be used to predict which Russian aligned figures are about to be indicted

Losing control of 170+ prosecutor inboxes is functionally an intelligence coup. Every witness whose name appears in a compromised inbox is now at risk. Every source who emailed a prosecutor has been burned. Every investigative theory under development can be countered before it becomes a public case.

ARMA's acting head Yaroslava Maksymenko publicly stated that "the review established that no access to internal information systems was obtained, and no data leak from databases or state information resources occurred." That language is carefully drafted. It does not claim that email contents were safe—only that the attackers did not pivot from compromised inboxes into internal systems. For the source whose name appears in an email, that distinction does not matter.

The Broader Pattern: Email as the Soft Underbelly

This campaign fits a pattern Ukrainian authorities have tracked since 2023 and that Western cybersecurity firms have documented against journalists, dissidents, and civil society operators worldwide. The MENA hack-for-hire campaign against Egyptian and Lebanese journalists used a different vector (Apple Messages phishing) but targeted the same category of victim: people whose inboxes contain source material. The Russia Forest Blizzard router campaign compromised 18,000 home routers to steal Microsoft Office tokens—again, email access without needing user credentials.

The consistent theme is that sophisticated state actors have moved past the perimeter. They are not trying to break into the SAP's network core. They do not need to. They read the emails that flow in and out of it, using vulnerabilities in the email software itself.

For journalists, NGO workers, activists, and lawyers working with sensitive sources in regions of Russian, Chinese, or Iranian interest, the implication is specific: the mail server your organization runs is an attack surface as important as any laptop or phone.

What Operational Security Actually Looks Like Now

For institutions and individuals handling source material:

• Do not run self-hosted Roundcube unless you patch within 24 hours of every disclosure. If you cannot commit to that cadence, migrate to a hosted solution with a dedicated security team. A webmail application that renders attacker controlled HTML is one missed patch away from an RCE.
• Enforce mandatory TLS and SPF/DKIM/DMARC. Many Roundcube deployments in the Balkans and Eastern Europe still accept unsigned mail, which makes phishing the first wave trivial.
• Segment webmail traffic. A compromised webmail host should not be on the same network segment as internal case management systems.
• Move sensitive source communications off email entirely. Signal or similar end to end encrypted messengers with disappearing messages are not a complete solution, but they materially reduce the damage from any single email compromise.
• Assume your email archive is already breached. For any source who communicated with your institution since 2023, plan for the possibility that the attacker already has those messages. Contact the sources. Let them take precautions.
• Compartmentalize. The prosecutors who lost their inboxes were handling high stakes investigations. Those investigations should not live in the same mailbox as routine administrative correspondence.

Attribution Is Not the Remedy

Ukrainian officials and independent researchers are near unanimous in attributing this campaign to APT28, the same GRU unit linked to the 2016 DNC hack, the 2018 Olympic Destroyer attack, the TV5 Monde takedown, and years of phishing against European journalists. Attribution is necessary for sanctions, diplomatic protest, and historical record.

It is not a defense. The prosecutors who had their inboxes read still had their inboxes read. The sources whose names are in those inboxes still face consequences. For anyone running a webmail server outside the protective umbrella of a Microsoft or Google, the question is not "was APT28 behind this" but "am I running software that is one patch cycle behind."