ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Winter Vivern

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Winter Vivern

NamesWinter Vivern (SentinelLabs)
UAC-0114 (CERT-UA)
TA473 (Proofpoint)
Country[Unknown]
MotivationInformation theft and espionage
First seen2021
Description(SentinelLabs) The Winter Vivern Advanced Persistent Threat (APT) is a noteworthy yet relatively underreported group that operates with pro-Russian objectives. DomainTools initially publicized the group in early 2021, naming it based on an initial command-and-control beacon URL string “wintervivern,” which is no longer in use. Subsequently, Lab52 shared additional analysis several months later, identifying new activity associated with Winter Vivern.

The group has avoided public disclosure since then, until recent attacks targeting Ukraine. A part of a Winter Vivern campaign was reported in recent weeks by the Polish CBZC, and then the Ukraine CERT as UAC-0114. In this activity, CERT-UA and the CBZC collaborated on the release of private technical details which assisted in our research to identify a wider set of activity on the threat actor, in addition to new victims and previously unknown specific technical details. Overall, we find that the Winter Vivern APT is a resource-limited but highly creative group that shows restraint in the scope of their attacks. Our analysis indicates that Winter Vivern activity aligns closely with global objectives that support the interests of Belarus and Russia’s governments.

Also see MoustachedBouncer.
ObservedSectors: Defense, Government.
Countries: India, Lithuania, Poland, Slovakia, Ukraine, USA and Europe.
Tools usedAPERETIF.
Operations performedEarly 2023Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe
<https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability>
Information<https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/>
<https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/>
<https://lab52.io/blog/winter-vivern-all-summer/>

Last change to this card: 06 September 2023

Download this actor card in PDF or JSON format

Previous: Winnti Group, Blackfly, Wicked Panda
Next: WIP26

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]