Phishing Campaign Tied to Russia-Aligned CyberespionageUS and European Officials Among the Targets of TA473/Winter Vivern, Researchers Say
A hacking group with apparent ties to Russia or Belarus has been using "simple yet effective attack techniques and tools" to gain access to multiple governments' email systems, researchers warn. They say the group's recent activities appear to be largely focused on cyberespionage operations in support of Russia's invasion of Ukraine.
Recent targets of the group have included U.S. elected officials and staffers, multiple European governments - including Ukrainian and Italian foreign ministry officials - plus Indian government officials and private telecommunications firms that support Ukraine, researchers at security firms Proofpoint and SentinelOne report.
One of the attack group's campaigns that has been active since at least last month has been scanning for public-facing, hosted Zimbra portals that have not yet been patched to fix a cross-site scripting vulnerability, designated CVE-2022-27926, present in Zimbra Collaboration version 9.0, Proofpoint reports.
Zimbra Collaboration, which until 2019 was known as the Zimbra Collaboration Suite, is an email and collaboration software, including a productivity suite, for Linux.
Last month, Ukraine's State Service of Special Communications and Information Protection reported in its assessment of 2022 hack attacks against Ukraine that attackers had been regularly targeting unpatched Zimbra systems.
In some cases, SSSCIP said, hackers would exploit hosted Zimbra portals as part of island hopping attacks, seeking to move through a chain of victims to eventually access their desired target, which might be government systems or energy systems they would try to disrupt.
TA473, aka UAC-0114, Winter Vivern
Proofpoint refers to the threat actor group behind the recent Zimbra campaign as TA473, while the Computer Emergency Response Team of Ukraine, CERT-UA, tracks the group as UAC-0114. Some security firms refer to it as Winter Vivern.
"This actor has been tenacious in its targeting of American and European officials as well as military and diplomatic personnel in Europe," said Michael Raggi, a threat researcher at Proofpoint.
The "resource-limited but highly creative group" remains notable for its ability to amass victims "using simple yet effective attack techniques and tools," Tom Hegel, a senior threat researcher with SentinelOne, said in a recent report.
The group was first publicly detailed in April 2021 by DomainTools, which identified a campaign using malicious documents to target "Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine and the Vatican." It named the group "Winter Vivern" based on a malicious macro that called out to a now-defunct directory named "wintervivern" on the secure-daddy[.]com file-hosting service to receive command-and-control instructions.
Earlier this month, researchers at SentinelOne reported that after appearing to go quiet - or else unnoticed - for much of 2021 and 2022, the group reappeared later last year with campaigns targeting Ukraine.
Last month, CERT-UA and Poland's CERT warned that the group had been behind attacks that used phishing sites designed to look like the websites of Ukraine's Security Service and the Polish Police. "A similar fraudulent web page was spotted impersonating the mail portal of the Ministry of Defense of Ukraine back in June 2022," they said.
The goal of the attacks, said CERT-UA, appeared to be to achieve persistence on systems and to exfiltrate files as part of an apparent cyberespionage campaign.
Highly Customized Payloads
Security experts say the threat group might not be flashy, but it seems to be very successful. "Their ability to lure targets into the attacks, and their targeting of governments and high-value private businesses demonstrate the level of sophistication and strategic intent in their operations," SentinelOne says.
When running a phishing campaign, they say, the group typically sends emails from legitimate WordPress-hosted domains it has exploited but spoofs the address to make it appear as if it has come from a relevant peer organization to the target. The body of the email will typically include a "benign URL" that links to "actor-controlled or compromised infrastructure" that then pushes a downloader to install malware or redirects to a site designed to harvest the user's credentials.
Proofpoint says TA473's latest phishing campaign is largely similar to attacks the group previously crafted to target a cross-site scripting vulnerability in Zimbra, designated CVE-2021-35207, that was patched in July 2021.