The Russia-aligned advanced persistent threat (APT) known as Winter Vivern has been observed conducting espionage campaigns targeting government organizations and a private telecommunication organization.
Security researchers at SentinelOne shared details about the new campaign in an advisory published on Thursday. The APT activity was first identified by DomainTools in early 2021 and then further described by Lab52 months later.
“The group has avoided public disclosure since then, until recent attacks targeting Ukraine,” wrote threat researcher Tom Hegel in the SentinelOne advisory. “A part of a Winter Vivern campaign was reported in recent weeks by the Polish CBZC, and then the Ukraine CERT as UAC-0114.”
According to Hegel, Winter Vivern’s activity aligns with the global objectives and interests of the Belarusian and Russian governments.
“Recently linked campaigns reveal that Winter Vivern has targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs and individuals within the Indian government,” reads the advisory. “Of particular interest is the APT’s targeting of private businesses, including telecommunications organizations, that support Ukraine in the ongoing war.”
Read more on Ukraine here: Cyber Threat Landscape Shaped by Ukraine Conflict, ENISA Report Reveals
Further, Hegel explained that Winter Vivern used tactics tailored to the targeted organization, to increase the probability of successful baiting via phishing and deployment of malicious documents.
“Winter Vivern’s tactics have included the use of malicious documents, often crafted from authentic government documents publicly available or tailored to specific themes,” wrote the malware researcher. “More recently, the group has utilized a new lure technique that involves mimicking government domains to distribute malicious downloads.”
Because of this ability to lure targets into the attacks, the SentinelOne team believes the APT to be a “formidable force” in the cyber domain.
“Their ability to lure targets into the attacks and their targeting of governments and high-value private businesses demonstrate the level of sophistication and strategic intent in their operations,” Hegel wrote.
The SentinelOne advisory comes days after security experts noted how Russia’s cyber tactics in Ukraine were observed shifting to focus on espionage.