Researchers from security firms Proofpoint and SentinelOne have warned of a hacking group with apparent links to Russia or Belarus that has been using simple yet effective tools to gain access to email systems of multiple governments.
The group’s recent activities have focused on cyberespionage operations in support of Russia’s invasion of Ukraine.
Targets include US elected officials and staffers, multiple European governments, Indian government officials, and private telecommunications firms supporting Ukraine. The group has been scanning for public-facing, hosted Zimbra portals that have not yet been patched to fix a cross-site scripting vulnerability. The group’s goal is to gain access to the emails of military, government, and diplomatic organizations across Europe that are working with Ukraine to repel Russia’s invasion.
The attack group, referred to as TA473 by Proofpoint, has been tenacious in targeting American and European officials, as well as military and diplomatic personnel in Europe. The group is known for its ability to amass victims using simple yet effective attack techniques and tools. Tom Hegel, a senior threat researcher with SentinelOne, describes the group as resource-limited but highly creative.
Earlier in April 2021, DomainTools identified a campaign using malicious documents to target Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine, and the Vatican, which it named “Winter Vivern” based on a malicious macro that called out to a now-defunct directory named “wintervivern.”
Security experts say the group’s targeting of governments and high-value private businesses demonstrates the level of sophistication and strategic intent in their operations. They also note the group’s ability to lure targets into attacks.
The group’s phishing campaigns typically send emails from legitimate WordPress-hosted domains it has exploited but spoofs the address to make it appear as if it has come from a relevant peer organization to the target. The body of the email will typically include a benign URL that links to actor-controlled or compromised infrastructure that then pushes a downloader to install malware or redirects to a site designed to harvest the user’s credentials.