Winter Vivern

Description

(SentinelLabs) The Winter Vivern Advanced Persistent Threat (APT) is a noteworthy yet relatively underreported group that operates with pro-Russian objectives. DomainTools initially publicized the group in early 2021, naming it based on an initial command-and-control beacon URL string “wintervivern,” which is no longer in use. Subsequently, Lab52 shared additional analysis several months later, identifying new activity associated with Winter Vivern.

The group has avoided public disclosure since then, until recent attacks targeting Ukraine. A part of a Winter Vivern campaign was reported in recent weeks by the Polish CBZC, and then the Ukraine CERT as UAC-0114. In this activity, CERT-UA and the CBZC collaborated on the release of private technical details which assisted in our research to identify a wider set of activity on the threat actor, in addition to new victims and previously unknown specific technical details. Overall, we find that the Winter Vivern APT is a resource-limited but highly creative group that shows restraint in the scope of their attacks. Our analysis indicates that Winter Vivern activity aligns closely with global objectives that support the interests of Belarus and Russia’s governments.

Also see MoustachedBouncer.

Names

Name	Name-Giver
Winter Vivern	SentinelLabs
UAC-0114	CERT-UA
TA473	Proofpoint
UNC4907	Mandiant
TAG-70	Recorded Future

Country

• Unknown

Motivation

• Information theft and espionage

First Seen

2020

Observed Sectors

• Defense
• Government

Observed Countries

• Georgia
• India
• Lithuania
• Moldova
• Poland
• Slovakia
• Tunisia
• Ukraine
• USA
• Uzbekistan
• Europe

Tools

• APERETIF

Operations

• 2023 Early: Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability
• 2023-07: Zimbra 0-day used to target international government organizations https://blog.google/threat-analysis-group/zimbra-0-day-used-to-target-international-government-organizations/
• 2023-10: Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/
• 2023-10: Russia-Aligned TAG-70 Targets European Government and Military Mail Servers in New Espionage Campaign https://go.recordedfuture.com/hubfs/reports/cta-2024-0217.pdf

Information

• https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/
• https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/
• https://lab52.io/blog/winter-vivern-all-summer/

Other Information

Uuid

7b427e8e-151d-4f6e-9b4f-89cbb92e82bd

Last Card Change

2024-03-07