Winter Vivern: Uncovering a wave of global espionage
March 2023 by SentinelLabs
The Winter Vivern Advanced Persistent Threat (APT) is a noteworthy yet relatively under-reported group that operates with pro-Russian objectives. DomainTools initially publicised the group in early 2021, naming it based on an initial command-and-control beacon URL string "wintervivern," which is no longer in use. Subsequently, Lab52 shared additional analysis several months later, identifying new activity associated with Winter Vivern. The group has avoided public disclosure since then, until recent attacks targeting Ukraine.
A part of a Winter Vivern campaign was reported in recent weeks by the Polish CBZC, and then the Ukraine CERT as UAC-0114. In this activity, CERT-UA and the CBZC collaborated on the release of private technical details, which assisted in SentinelLabs’ research to identify a wider set of activity on the threat actor, in addition to new victims and previously unknown specific technical details.
Overall, SentinelLabs found that the Winter Vivern APT is a resource-limited but highly creative group that shows restraint in the scope of their attacks. Their analysis indicates that Winter Vivern activity aligns closely with global objectives that support the interests of Belarus and Russia’s governments.
Analysis of Winter Vivern’s past activity indicates that the APT has targeted various government organisations since 2021, including those in Lithuania, India, Vatican, and Slovakia.
Recently linked campaigns reveal that Winter Vivern has targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government. Of particular interest is the APT’s targeting of private businesses, including telecommunications organisations that support Ukraine in the ongoing war.
• SentinelLabs has conducted an investigation into Winter Vivern Advanced Persistent Threat (APT) activity, leveraging observations made by The Polish CBZC and Ukraine CERT. Its research has uncovered a previously unknown set of espionage campaigns and targeting activities conducted by this threat actor.
• SentinelLabs’ analysis indicates that Winter Vivern’s activities are closely aligned with global objectives that support the interests of Belarus and Russia’s governments. The APT has targeted a variety of government organisations, and in a rare instance, a private telecommunication organisation.
• The threat actor employs various tactics, such as phishing websites, credential phishing, and deployment of malicious documents, that are tailored to the targeted organisation’s specific needs. This results in the deployment of custom loaders and malicious documents, which enable unauthorised access to sensitive systems and information.
The Winter Vivern cyber threat actor has been able to successfully carry out their attacks using simple yet effective attack techniques and tools. Their ability to lure targets into the attacks, and their targeting of governments and high-value private businesses, demonstrates the level of sophistication and strategic intent in their operations. Their dynamic set of TTPs and their ability to evade the public eye have made them a formidable force in the cyber domain.