 |
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
|
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
APT group: Winter Vivern| Names | Winter Vivern (SentinelLabs) UAC-0114 (CERT-UA) TA473 (Proofpoint) | |
| Country | [Unknown] | |
| Motivation | Information theft and espionage | |
| First seen | 2021 | |
| Description | (SentinelLabs) The Winter Vivern Advanced Persistent Threat (APT) is a noteworthy yet relatively underreported group that operates with pro-Russian objectives. DomainTools initially publicized the group in early 2021, naming it based on an initial command-and-control beacon URL string “wintervivern,” which is no longer in use. Subsequently, Lab52 shared additional analysis several months later, identifying new activity associated with Winter Vivern. The group has avoided public disclosure since then, until recent attacks targeting Ukraine. A part of a Winter Vivern campaign was reported in recent weeks by the Polish CBZC, and then the Ukraine CERT as UAC-0114. In this activity, CERT-UA and the CBZC collaborated on the release of private technical details which assisted in our research to identify a wider set of activity on the threat actor, in addition to new victims and previously unknown specific technical details. Overall, we find that the Winter Vivern APT is a resource-limited but highly creative group that shows restraint in the scope of their attacks. Our analysis indicates that Winter Vivern activity aligns closely with global objectives that support the interests of Belarus and Russia’s governments. Also see MoustachedBouncer. | |
| Observed | Sectors: Defense, Government. Countries: India, Lithuania, Poland, Slovakia, Ukraine, USA and Europe. | |
| Tools used | APERETIF. | |
| Operations performed | Early 2023 | Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe <https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability> |
| Information | <https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/> <https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/> <https://lab52.io/blog/winter-vivern-all-summer/> | |
Last change to this card: 06 September 2023
Download this actor card in PDF or JSON format
Previous: Winnti Group, Blackfly, Wicked Panda
Next: WIP26
|
Digital Service Security Center Follow us on
|
Report incidents |
|
 |
+66 (0)2-123-1227 | |
 |
[email protected] | |