Winter Vivern, an advanced persistent threat (APT) actor, has expanded its cyber espionage campaign by targeting officials in Europe and the U.S. This campaign involves leveraging an unpatched Zimbra vulnerability in publicly facing webmail portals, allowing the group to access the email mailboxes of government entities in Europe.
Proofpoint, an enterprise security firm, is tracking the activity under its name, TA473 (UAC-0114). The firm describes TA473 as an adversarial crew whose operations align with Russian and Belarussian geopolitical objectives.
Despite its lack of sophistication, the group has been linked to recent attacks targeting state authorities of Ukraine and Poland, government officials in India, Lithuania, Slovakia, and even the Vatican.
The group uses scanning tools such as Acunetix to find unpatched webmail portals belonging to targeted companies. They then send phishing emails under the guise of benign government agencies, with messages containing booby-trapped URLs.
These findings coincide with revelations that at least three Russian intelligence agencies (FSB, GRU, and SVR) use software and hacking tools designed by a Moscow-based IT contractor called NTC Vulkan.
This includes frameworks like Scan, Amesit, and Krystal-2B, which simulate coordinated IO/OT attacks against rail and pipeline control systems.
Mandiant, a threat intelligence firm, notes that contracted projects from NTC Vulkan provide insight into the investment of Russian intelligence services in inventing abilities to deploy more efficient functions within the beginning of the attack lifecycle, a part of procedures often concealed from sight.