The advanced persistent threat (APT) actor known as Winter Vivern is now targeting officials in Europe and the U.S. as part of an ongoing cyber espionage campaign.
"TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe," Proofpoint said in a new report.
The enterprise security firm is tracking the activity under its own moniker TA473 (aka UAC-0114), describing it as an adversarial crew whose operations align with that of Russian and Belarussian geopolitical objectives.
What it lacks in sophistication, it makes up for in persistence. In recent months, the group has been linked to attacks targeting state authorities of Ukraine and Poland as well as government officials in India, Lithuania, Slovakia, and the Vatican.
This also involves employing scanning tools like Acunetix to identify unpatched webmail portals belonging to targeted organizations with the goal of sending phishing email under the guise of benign government agencies.
"TA473's persistent approach to vulnerability scanning and exploitation of unpatched vulnerabilities impacting publicly facing webmail portals is a key factor in this actor's success," Proofpoint said.
The findings come amid revelations that at least three Russian intelligence agencies, including FSB, GRU (linked to Sandworm), and SVR (linked to APT29), likely use software and hacking tools developed by a Moscow-based IT contractor named NTC Vulkan.
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
This includes frameworks like Scan (to map adversary networks and facilitate large-scale data collection), Amesit (to conduct information operations and manipulate public opinion), and Krystal-2B (to simulate coordinated IO/OT attacks against rail and pipeline control systems).
"Krystal-2B is a training platform that simulates OT attacks against different types of OT environments in coordination with some IO components by leveraging Amesit 'for the purpose of disruption,'" Google-owned Mandiant said.
"The contracted projects from NTC Vulkan provide insight into the investment of Russian intelligence services into developing capabilities to deploy more efficient operations within the beginning of the attack lifecycle, a piece of operations often hidden from our view," the threat intelligence firm added.
French cybersecurity company SEKOIA.IO, in its own analysis of the cyber offensive tools, described Amesit as an "information system" designed to create, distribute, and amplify information through multiple channels such as SMS, social media, blogs, and forums.
It also includes features to intercept, block, and alter communications passing through telecommunication equipment such as switches and routers, and even redirect ISP subscribers to specific websites.
"Amesit is an illustration of the Russian information warfare doctrine, a concept which looks for strategic gains through the combination of offensive cyber operations, electronic warfare, psychological operations, and information operations," SEKOIA.IO said.