Advanced persistent threat actors (APTs) are known as Winter Viverns it is now targeting officials in Europe and the US as part of its ongoing cyber espionage campaign.
“TA473 since at least February 2023 has continued to exploit an unpatched Zimbra vulnerability in public-facing webmail portals that allowed them to gain access to the email mailboxes of government entities in Europe,” Proofpoint said in a new report.
The company’s security firm is tracking activity under its own moniker TA473 (aka UAC-0114), describing it as an enemy crew whose operations aligned with Russia’s and Belarusian geopolitical objectives.
What it lacks in sophistication, it makes up for in persistence. In recent months, the group has been linked to attacks targeting Ukrainian and Polish state authorities as well as government officials in India, Lithuania, Slovakia and the Vatican.
It also involves using a scanning tool such as Acunetix to identify unpatched webmail portals belonging to targeted organizations with the aim of sending phishing emails under the guise of friendly government agencies.
“TA473’s persistent approach to vulnerability scanning and exploitation of unpatched vulnerabilities impacting public-facing webmail portals was a key factor in this actor’s success,” said Proofpoint.
Findings come in the middle revelation that at least three Russian intelligence agencies, including the FSB, GRU (associated with Sandworm), and SVR (associated with APT29), likely used hacking software and tools developed by a Moscow-based IT contractor called NTC Vulkan.
This includes frameworks such as Scan (to facilitate large-scale data collection), Amesit (to conduct information operations and manipulate public opinion), and Krystal-2B (to simulate coordinated IO/OT attacks against rail and pipeline control systems).
“Krystal-2B is a training platform that simulates OT attacks against different types of OT environments in coordination with multiple IO components by leveraging Amesit ‘for jamming purposes,'” Google’s Mandiant said.
“The projects contracted to from NTC Vulkan provide insight into investments by Russian intelligence services to develop capabilities to deploy operations more efficiently early in the attack lifecycle, a part of operations that is often hidden from our view,” the threat intelligence firm added.