Ta473

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
TA473, also known as Winter Vivern and UAC-0114, is a Russian advanced persistent threat (APT) group that has been active since at least February 2023. The group focuses on cyber espionage, supporting Russian and Belarusian geopolitical objectives, especially in the context of the Russia-Ukraine conflict. TA473 has targeted NATO countries, US elected officials, and staffers, compromising emails through the exploitation of vulnerabilities in unpatched Zimbra endpoints and Roundcube webmail software. The group's activities have been tracked by cybersecurity researchers at Proofpoint, who have observed TA473 exploiting Zimbra vulnerability CVE-2022-27926 to abuse publicly facing Zimbra hosted webmail portals. In October 2023, TA473 was observed exploiting a zero-day flaw in Roundcube webmail software, specifically targeting RoundCube webmail request tokens. This led to a series of attacks across Europe, particularly in Ukraine, Poland, and Georgia. At least 80 critical infrastructure, government, and military organizations were targeted, spanning sectors from transport and education to chemical and biological research organizations. The exploitation involved sophisticated social engineering techniques and unique JavaScript payloads for the targeted webmail portal. By February 2024, the scale of TA473's operations had expanded significantly, with dozens of European organizations being targeted through the exploitation of cross-site scripting vulnerabilities impacting Roundcube email servers. According to reports from SecurityWeek and SC Magazine, these attacks affected critical infrastructure, government, and military organizations across Europe. Despite the wide range of targets, TA473's cyber operations continue to align primarily with the support of Russian and/or Belarussian geopolitical goals.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Winter Vivern
4
Winter Vivern is a threat actor group that has recently been active in the cybersecurity landscape. This group, which is believed to align with the interests of Belarus, has been involved in a series of malicious activities targeting different entities. They have notably exploited a zero-day vulnera
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Zimbra
roundcube
Exploit
JavaScript
Reconnaissance
Phishing
exploitation
XSS (Cross S...
Exploits
Payload
Ukraine
Nato
Russia
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-27926has used
4
CVE-2022-27926 is a software vulnerability identified in Zimbra instances. This flaw in software design or implementation has been exploited by Winter Vivern (also known as TA473), a Russian hacking group, to gain unauthorized access to sensitive email communications. The targets of this cyber espio
CVE-2021-35207has used
1
None
Source Document References
Information about the Ta473 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
Six steps for stronger cloud security
CERT-EU
5 months ago
Dozens of European orgs targeted by Russian attacks exploiting Roundcube flaws
DARKReading
5 months ago
Russian APT 'Winter Vivern' Targets European Governments, Military
Securityaffairs
9 months ago
Winter Vivern APT exploited zero-day in Roundcube webmail software in recent attacks
CERT-EU
9 months ago
Russian Hackers Caught Exploiting Roundcube Webmail Zero-Day
CERT-EU
a year ago
Winter Vivern Hackers Exploit Zimbra Flaw to Siphon NATO Emails | IT Security News
CERT-EU
a year ago
NATO countries targeted by Winter Vivern via Zimbra vulnerability
Securityaffairs
a year ago
CISA adds Zimbra bug exploited in attacks against NATO countries to its Known Exploited Vulnerabilities catalog
CERT-EU
a year ago
Manually patch this Zimbra bug that's under attack
CERT-EU
a year ago
Windows, Linux systems subjected to Chinese state-backed cyberattacks
CERT-EU
a year ago
Zimbra email platform vulnerability exploited to steal European govt emails
ESET
10 months ago
Mass-spreading campaign targeting Zimbra users
CERT-EU
9 months ago
European Governments Email Servers Targeted by Threat Actors
CERT-EU
9 months ago
Roundcube 0-day used to steal European government emails
CERT-EU
9 months ago
Winter Vivern APT exploited zero-day in Roundcube webmail software in recent attacks
CERT-EU
9 months ago
Russian hacking group seen exploiting Roundcube webmail zero-day
CSO Online
a year ago
APT group Winter Vivern exploits Zimbra webmail flaw to target government entities
Securityaffairs
a year ago
Russian group Winter Vivern targets email portals of NATO and diplomats
CERT-EU
a year ago
NATO and Diplomats' Email Portals Targeted by Russian APT Winter Vivern