Winter Vivern, an advanced persistent threat (APT) actor, has expanded its cyber espionage campaign by targeting officials in Europe and the U.S. This campaign involves leveraging an unpatched Zimbra vulnerability in publicly facing webmail portals, allowing the group to access the email mailboxes of government entities in Europe.

Proofpoint, an enterprise security firm, is tracking the activity under its name, TA473 (UAC-0114). The firm describes TA473 as an adversarial crew whose operations align with Russian and Belarussian geopolitical objectives. 

Despite its lack of sophistication, the group has been linked to recent attacks targeting state authorities of Ukraine and Poland, government officials in India, Lithuania, Slovakia, and even the Vatican.

The group uses scanning tools such as Acunetix to find unpatched webmail portals belonging to targeted companies. They then send phishing emails under the guise of benign government agencies, with messages containing booby-trapped URLs. 

Also Read: “MacStealer Malware Strikes: iCloud Keychain Data and Passwords at Risk for Apple Users.”

These URLs manipulate the cross-site scripting (XSS) error in Zimbra to manage custom Base64-encoded JavaScript payloads within victims’ webmail portals, allowing the group to exfiltrate usernames, passwords, and access tokens.

Each JavaScript payload is monitored to the targeted webmail portal, indicating that the group is willing to invest time and resources to decrease the possibility of detection. According to Proofpoint, TA473’s persistent approach to vulnerability scanning and exploitation of unpatched vulnerabilities is a key factor in its success.

These findings coincide with revelations that at least three Russian intelligence agencies (FSB, GRU, and SVR) use software and hacking tools designed by a Moscow-based IT contractor called NTC Vulkan. 

This includes frameworks like Scan, Amesit, and Krystal-2B, which simulate coordinated IO/OT attacks against rail and pipeline control systems.

Mandiant, a threat intelligence firm, notes that contracted projects from NTC Vulkan provide insight into the investment of Russian intelligence services in inventing abilities to deploy more efficient functions within the beginning of the attack lifecycle, a part of procedures often concealed from sight.