The menacing Russian-aligned group known as Winter Wyvern was discovered exploiting cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers across Europe in October – and now its victims are coming to light.
The group primarily targeted government, military and national infrastructure in Georgia, Poland and Ukraine, according to Recorded Future’s Insikt Group report on the campaign released today.
The report also highlighted additional targets, including the Embassy of Iran in Moscow, the Embassy of Iran in the Netherlands and the Embassy of Georgia in Sweden.
Using sophisticated social engineering techniques, the APT (which Insikt calls TAG-70 and which is also known as TA473 and UAC-0114) used a Zero-day exploitation of Roundcube to gain unauthorized access to targeted mail servers in at least 80 separate organizations, ranging from transportation and education sectors to chemical and biological research organizations.
The campaign is believed to have been used to gather intelligence on European political and military affairs, potentially to gain strategic advantages or undermine European security and alliances, according to Insikt.
The group is suspected of conducting cyberespionage campaigns serving the interests of Belarus and Russia and has been active since at least December 2020.
Winter Vivern’s geopolitical motivations for cyber espionage
The October campaign was linked to previous TAG-70 activity against Uzbek government mail servers, reported by Insikt Group in February 2023.
An obvious motivation for the attack on Ukraine is the conflict with Russia.
“In the context of the ongoing war in Ukraine, compromised email servers may expose sensitive information regarding Ukraine’s war effort and planning, its relations and negotiations with partner countries as it seeks further military and economic assistance, [which] expose third parties privately collaborating with the Ukrainian government and reveal rifts within the coalition supporting Ukraine,” the Insikt report notes.
Meanwhile, the focus on Iranian embassies in Russia and the Netherlands may be tied to the motive of evaluating Iran’s current diplomatic engagements and foreign policy positions, particularly considering Iran’s involvement in supporting Russia in the conflict in Ukraine.
Likewise, the espionage against the Georgian embassy in Sweden and the Georgian Ministry of Defense likely stems from comparable foreign policy-driven objectives, especially as Georgia relaunched its pursuit of membership in the European Union and NATO following the Russia’s incursion into Ukraine early in the country. 2022.
Other notable targets included organizations involved in the logistics and transportation sectors, which is significant given the context of the war in Ukraine, as strong logistics networks proved crucial for both sides in maintaining their ability to fight.
Defending against cyber espionage is difficult
Cyber-espionage campaigns have intensified: earlier this month, a sophisticated Russian APT launched a campaign of targeted PowerShell attacks against the Ukrainian military, while another Russian APT, Turla, targeted Polish NGOs using a new backdoor malware.
Ukraine did it too launched its own cyber attacks against Russiawhich targeted the servers of Moscow internet service provider M9 Telecom in January, in retaliation for the Russia-backed breach of mobile operator Kyivstar.
But the Insikt group’s report highlights that defending against attacks like these can be difficult, especially when exploiting zero-day vulnerabilities.
However, organizations can mitigate the impact of compromise by encrypting emails and considering alternative forms of secure communications for transmitting particularly sensitive information.
It is also vital to ensure that all servers and software are patched and kept up to date, and that users should only open emails from trusted contacts.
Organizations should also limit the amount of sensitive information stored on mail servers by practicing good hygiene and reducing data retention, and limit sensitive information and conversations to more secure high-side systems when possible.
The report also notes that responsible disclosure of vulnerabilities, particularly those exploited by APT actors such as TAG-70, is crucial for several reasons.
A threat intelligence analyst at Recorded Future’s Insikt Group explained via email that this approach ensures vulnerabilities are patched and resolved quickly before others discover and abuse them, and allows for the containment of exploits by sophisticated attackers, preventing more extensive and rapid damage.
“Ultimately, this approach addresses immediate risks and encourages long-term improvements in global cybersecurity practices,” the analyst explained.