Winter Vivern

Threat Actor updated a month ago (2024-10-21T09:01:55.059Z)

Download STIX

Preview STIX

Winter Vivern, a malicious threat actor, has been identified as the entity behind recent cyberattacks targeting several European government organizations. The group exploited a zero-day vulnerability in the Roundcube webmail software, using it to launch their offensive operations. This advanced persistent threat (APT) group is linked to Russia and is known for its cyberespionage activities, with targets including not only government entities but also military and national infrastructure-related bodies across Europe. The first notable attack by Winter Vivern was reported in October 2023 by ESET Research. They revealed that the group had exploited a similar vulnerability within the Roundcube webmail software, specifically an XSS (Cross-Site Scripting) vulnerability. This allowed them to successfully target various European government entities, marking the beginning of their malicious campaign. Most recently, Recorded Future's Insikt Group reported another major attack from Winter Vivern. Once again, the group leveraged an XSS vulnerability in the Roundcube software, broadening their target range to include Ukraine, Poland, and Georgia. These attacks underscore the ongoing threat posed by Winter Vivern and highlight the need for robust cybersecurity measures to counter such sophisticated APT groups.

Description last updated: 2024-10-21T08:39:35.771Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Ta473 is a possible alias for Winter Vivern. TA473, also known as Winter Vivern and UAC-0114, is a Russian advanced persistent threat (APT) group that has been active since at least February 2023. The group focuses on cyber espionage, supporting Russian and Belarusian geopolitical objectives, especially in the context of the Russia-Ukraine con	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Zimbra

roundcube

Exploit

Zero Day

Vulnerability

Apt

Ukraine

Malware

Russia

Phishing

Government

Spearphishing

JavaScript

Sentinelone

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT28 Threat Actor is associated with Winter Vivern. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC)	Exploited	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2022-27926 Vulnerability is associated with Winter Vivern. CVE-2022-27926 is a software vulnerability identified in Zimbra instances. This flaw in software design or implementation has been exploited by Winter Vivern (also known as TA473), a Russian hacking group, to gain unauthorized access to sensitive email communications. The targets of this cyber espio	Unspecified	3

Source Document References

Information about the Winter Vivern Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	a month ago	Unknown threat actors exploit Roundcube Webmail flaw in phishing campaign
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	3 months ago	Critical XSS bug in Roundcube Webmail allows attackers to steal emails and sensitive data
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
CERT-EU	9 months ago	Threat actor UAC-0149 targets Armed Forces of Ukraine with Cookbox backdoor
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs newsletter Round 476 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Security Affairs newsletter Round 473 by Pierluigi Paganini – INTERNATIONAL EDITION
Flashpoint	6 months ago	Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024
ESET	6 months ago	ESET APT Activity Report Q4 2023–Q1 2024
Securityaffairs	7 months ago	Security Affairs newsletter Round 470 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 469 by Pierluigi Paganini – INTERNATIONAL EDITION
BankInfoSecurity	7 months ago	Exploited TP-Link Vulnerability Spawns Botnet Threats
Securityaffairs	7 months ago	Security Affairs newsletter Round 467 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	7 months ago	Security Affairs newsletter Round 466 by Pierluigi Paganini