Anti-Phishing, DMARC , Cybercrime , Cyberwarfare / Nation-State Attacks

Phishing Campaign Tied to Russia-Aligned Cyberespionage

US and European Officials Among the Targets of TA473/Winter Vivern, Researchers Say
Phishing Campaign Tied to Russia-Aligned Cyberespionage
Red Square in Moscow (Image: kishjar via Flickr/CC)

A hacking group with apparent ties to Russia or Belarus has been using "simple yet effective attack techniques and tools" to gain access to multiple governments' email systems, researchers warn. They say the group's recent activities appear to be largely focused on cyberespionage operations in support of Russia's invasion of Ukraine.

See Also: How to Build Your Cyber Recovery Playbook

Recent targets of the group have included U.S. elected officials and staffers, multiple European governments - including Ukrainian and Italian foreign ministry officials - plus Indian government officials and private telecommunications firms that support Ukraine, researchers at security firms Proofpoint and SentinelOne report.

One of the attack group's campaigns that has been active since at least last month has been scanning for public-facing, hosted Zimbra portals that have not yet been patched to fix a cross-site scripting vulnerability, designated CVE-2022-27926, present in Zimbra Collaboration version 9.0, Proofpoint reports.

"The goal of this activity is assessed to be gaining access to the emails of military, government and diplomatic organizations across Europe" who are working with Ukraine to repel Russia's invasion, Proofpoint researchers say in the report. They add that for each different target, the attackers first conduct reconnaissance and create customized JavaScript payloads, designed to mimic the look and feel of the Zimbra portal being targeted. These payloads then get served up in emails "purporting to be relevant benign government resources."

Zimbra Collaboration, which until 2019 was known as the Zimbra Collaboration Suite, is an email and collaboration software, including a productivity suite, for Linux.

Last month, Ukraine's State Service of Special Communications and Information Protection reported in its assessment of 2022 hack attacks against Ukraine that attackers had been regularly targeting unpatched Zimbra systems.

In some cases, SSSCIP said, hackers would exploit hosted Zimbra portals as part of island hopping attacks, seeking to move through a chain of victims to eventually access their desired target, which might be government systems or energy systems they would try to disrupt.

TA473, aka UAC-0114, Winter Vivern

Proofpoint refers to the threat actor group behind the recent Zimbra campaign as TA473, while the Computer Emergency Response Team of Ukraine, CERT-UA, tracks the group as UAC-0114. Some security firms refer to it as Winter Vivern.

"This actor has been tenacious in its targeting of American and European officials as well as military and diplomatic personnel in Europe," said Michael Raggi, a threat researcher at Proofpoint.

The "resource-limited but highly creative group" remains notable for its ability to amass victims "using simple yet effective attack techniques and tools," Tom Hegel, a senior threat researcher with SentinelOne, said in a recent report.

The group was first publicly detailed in April 2021 by DomainTools, which identified a campaign using malicious documents to target "Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine and the Vatican." It named the group "Winter Vivern" based on a malicious macro that called out to a now-defunct directory named "wintervivern" on the secure-daddy[.]com file-hosting service to receive command-and-control instructions.

Earlier this month, researchers at SentinelOne reported that after appearing to go quiet - or else unnoticed - for much of 2021 and 2022, the group reappeared later last year with campaigns targeting Ukraine.

Last month, CERT-UA and Poland's CERT warned that the group had been behind attacks that used phishing sites designed to look like the websites of Ukraine's Security Service and the Polish Police. "A similar fraudulent web page was spotted impersonating the mail portal of the Ministry of Defense of Ukraine back in June 2022," they said.

The goal of the attacks, said CERT-UA, appeared to be to achieve persistence on systems and to exfiltrate files as part of an apparent cyberespionage campaign.

Highly Customized Payloads

Security experts say the threat group might not be flashy, but it seems to be very successful. "Their ability to lure targets into the attacks, and their targeting of governments and high-value private businesses demonstrate the level of sophistication and strategic intent in their operations," SentinelOne says.

Proofpoint says the newly spotted campaign targeting CVE-2022-27926 in Zimbra appears to have taken a substantial amount of time to develop, since the JavaScript attack payloads have been customized for every target. "These labor-intensive customized payloads allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies facilitating the login to publicly facing webmail portals belonging to NATO-aligned organizations," the researchers say.

When running a phishing campaign, they say, the group typically sends emails from legitimate WordPress-hosted domains it has exploited but spoofs the address to make it appear as if it has come from a relevant peer organization to the target. The body of the email will typically include a "benign URL" that links to "actor-controlled or compromised infrastructure" that then pushes a downloader to install malware or redirects to a site designed to harvest the user's credentials.

Proofpoint says TA473's latest phishing campaign is largely similar to attacks the group previously crafted to target a cross-site scripting vulnerability in Zimbra, designated CVE-2021-35207, that was patched in July 2021.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.