This article is more than 1 year old

Pro-Russia cyber gang Winter Vivern puts US, Euro lawmakers in line of fire

Winter is coming for NATO countries

A cyber spy gang supporting Russia is targeting US elected officials and their staffers, in addition to European lawmakers, using unpatched Zimbra Collaboration software in two campaigns spotted by Proofpoint.

The advanced persistent threat (APT) group – which Proofpoint tracks as TA473 and the Ukrainian CERT has named UAC-0114, while other private security researchers call it Winter Vivern – was first discovered by DomainTools' team and has been active since December 2020.

At the time, the criminals were targeting government agencies in Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine, and the Vatican. The DomainTools researchers dubbed the miscreants "Winter Vivern" because of the group's earlier command-and-control beacon URL string of the same name.

In more recent campaigns disclosed earlier this year, the gang focused its attention on government agencies and officials in Ukraine, Poland, Italy and India, as well as telecommunications organizations supporting Ukraine during the ongoing war. 

Those campaigns typically used phishing campaigns, with lures spoofing government agencies or disguised as or bogus antivirus software to trick targets into downloading malware-laden documents. The malware then allowed the crooks to steal credentials and establish persistence to spy on high-profile government networks.

"Winter Vivern APT falls into a category of scrappy threat actors, being quite resourceful and able to accomplish a lot with potentially limited resources while willing to be flexible and creative in their approach to problem-solving," SentinelOne senior threat researcher Tom Hegel wrote in his analysis.

The group expanded its list of targets late last year, according to new research by Proofpoint. Beginning in late 2022, the security shop's threat hunters "also observed phishing campaigns that targeted elected officials and staffers in the United States."

However, the targets and lures do share some things in common. "Often targeted individuals are experts in facets of European politics or economy as it pertains to regions impacted by the ongoing conflict. Social engineering lures and impersonated organizations often pertain to Ukraine in the context of armed conflict."

Additionally, as of early 2023, Proofpoint says the miscreants' phishing campaigns targeting European government agencies exploited CVE-2022-27926 – a critical cross-site scripting (XSS) vulnerability in Zimbra Collaboration versions 9.0.0 that hosts public-facing webmail portals. The vendor patched this hole a year ago, on March 30, 2022.

Here's how these attacks work, according to Proofpoint:

TA473 is hyperlinking a benign URL in the body of a phishing email with a URL that leverages CVE-2022-27926. The malicious URL uses the webmail domain that has a vulnerable Zimbra Collaboration Suite instance and appends an arbitrary hexadecimal encoded or plaintext JavaScript snippet, which is executed as an error parameter when it is received in the initial web request. The JavaScript, once decoded, results in the download of a next stage bespoke JavaScript payload that conducts CSRF to capture usernames, passwords, and CSRF tokens from the user.

The threat hunters say they spotted Winter Vivern deploying the malicious JavaScript on "European governmental organizations" last month – they won't identify which ones. And the criminals used the campaigns to steal officials' usernames, passwords and active CSR tokens. They then cached the stolen data in the attacker-controlled server, and logged in to legitimate mail portals using the stolen credentials and tokens.

Proofpoint concurs with SentinalOne's assessment of Winter Vivern. While it may not be the most sophisticated APT crew, its scrappy, keep-at-it attitude – and using a repeatable process for breaking into high-profile geopolitical targets – keeps paying dividends.

"TA473's persistent approach to vulnerability scanning and exploitation of unpatched vulnerabilities impacting publicly facing webmail portals is a key factor in this actor's success," Proofpoint observed. 

The security researchers also "strongly recommend" patching all versions of Zimbra Collaboration used in publicly facing webmail portals. Again, it's worth noting that a fix for this flaw under active exploitation has been available for a year. ®

More about


Send us news

Other stories you might like