Winter Vivern (UAC-0114) – Threat Actor

 

Overview

Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor.

The group has avoided public disclosure since then, until recent attacks targeting Ukraine. A part of a Winter Vivern campaign was reported in January 2023 by the Polish CBZC, and then the Ukraine CERT as UAC-0114. Researchers have observed Winter Vivern exploiting Zimbra vulnerability CVE-2022-27926 to abuse publicly facing Zimbra hosted webmail portals. The goal of this activity is assessed to be gaining access to the emails of military, government, and diplomatic organizations across Europe involved in the Russia Ukrainian War. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online. Now, Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.

Common targets

Proofpoint since 2021 has observed a concerted focus on European government, military, and diplomatic entities in active phishing campaigns. However, in late 2022, Proofpoint researchers also observed phishing campaigns that targeted elected officials and staffers in the United States. Since the onset of the Russia-Ukraine War, researchers have observed a commonality among observed targets, social engineering lures, and impersonated individuals. Often targeted individuals are experts in facets of European politics or economy as it pertains to regions impacted by the ongoing conflict. Social engineering lures and impersonated organizations often pertain to Ukraine in the context of armed conflict.

Attack Vectors

To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor. Since the onset of the Russia-Ukraine War, researchers have observed a commonality among observed targets, social engineering lures, and impersonated individuals.

How they operate

Researchers have observed Winter Vivern exploiting Zimbra and Roundcube vulnerabilities hosted webmail portals. The goal of this activity is assessed to be gaining access to the emails of military, government, and diplomatic organizations across Europe involved in the Russia Ukrainian War. The group utilizes scanning tools like Acunetix to identify unpatched webmail portals belonging to these organizations to identify viable methods for targeting victims. Following initial scanning reconnaissance, the threat actors deliver phishing emails purporting to be relevant benign government resources, which are hyperlinked in the body of the email with malicious URLs that abuse known vulnerability to execute JavaScript payloads within victim’s webmail portals. Further, the threat actors appear to invest significant time studying each webmail portal instance belonging to their targets as well as writing bespoke JavaScript payloads to conduct Cross Site Request Forgery. These labor-intensive customized payloads allow actors to steal usernames, passwords, and store active session and CSRF tokens from cookies facilitating the login to publicly facing webmail portals belonging to NATO-aligned organizations.

MITRE ATT&CK Techniques

• Initial Access: Phishing (T1566)
• Execution: Exploitation for Client Execution (T1203)
• Persistence: Valid Accounts (T1078)
• Credential Access: Exploitation for Credential Access (T1212)
• Credential Access: Input Capture (T1056)
• Discovery: File and Directory Discovery (T1083)
• Collection: Email Collection (T1114)
• Command and Control: Non-Standard Port (T1571)

 

References:

• Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages
• Activity of the group UAC-0114 (Winter Vivern) in relation to the state bodies of Ukraine and Poland (CERT-UA#5909)
• UAC-0114 Group aka Winter Vivern Attack Detection: Hackers Launch Phishing Campaigns Targeting Government Entities of Ukraine and Poland
• Winter Vivern | Uncovering a Wave of Global Espionage
• Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe
• Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers
• Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign