Ukraine, Lithuania, and Vatican among targets of pro-Russian digital spies, claims analyst


A previously undetected cyber-espionage campaign, thought to be aligned to Belarusian and Russian interests, has been spotted by analyst SentinelLabs, working off intelligence gleaned by Ukraine and Poland.

The advanced persistent threat (APT) group known as Winter Vivern is believed to be behind the recent campaign, which SentinelLabs said had been targeting governments in Lithuania, India, and even the Vatican using a classic combo of phishing tactics and malware.

“Our analysis indicates that Winter Vivern’s activities are closely aligned with global objectives that support the interests of Belarus and Russia’s governments,” said SentinelLabs. “The APT has targeted a variety of government organizations, and in a rare instance, a private telecommunication organization.”

Other recently observed targets included Polish government agencies, the Italian and Ukrainian foreign ministries, and “private businesses, including telecommunications organizations that support Ukraine in the ongoing war.” SentinelLabs said its research into Vivern was based on insights gleaned from Poland and Ukraine.

“Winter Vivern’s tactics have included the use of malicious documents, often crafted from authentic government documents publicly available or tailored to specific themes,” said the analyst. “More recently, the group has utilized a new lure technique that involves mimicking government domains to distribute malicious downloads.”

In another attack that SentinelLabs said had been buzzing lower under the radar, credential-phishing web pages were set up to target Indian government workers via that country’s legitimate email service.

Winter Vivern is believed to have been active since at least 2021.

Screenshot of phishing page targeting Indian government workers
Screenshot taken by SentinelLabs of phishing page targeting Indian government workers, which it believes is the work of pro-Russian group Winter Vivern

Ukraine targeted

Vivern is also thought to have gone after Ukraine’s “I Want To Live” project, which counsels its combatants on how to accept the surrender of Russian and Belarusian soldiers seeking to give up hostilities.

“When the threat actor seeks to compromise the organization beyond the theft of legitimate credentials, Winter Vivern tends to rely on shared toolkits, and the abuse of legitimate Windows tools,” the analyst said of Vivern’s malware-related attacks.

Describing the threat actor as somewhat low-grade in technological sophistication but no less determined for all that, it added: “Winter Vivern APT falls into a category of scrappy threat actors, being quite resourceful and able to accomplish a lot with potentially limited resources while willing to be flexible and creative in their approach to problem-solving.”

The threat group had used this resourcefulness to develop an attack playbook of techniques, tactics and procedures (TTPs) that could be quite formidable if deployed against the unwary.

“Their ability to lure targets into the attacks, and their targeting of governments and high-value private businesses demonstrate the level of sophistication and strategic intent in their operations,” said SentinelLabs. “The dynamic set of TTPs and their ability to evade the public eye has made them a formidable force in the cyber domain.”


More from Cybernews:

Apple's bid to shift digital reality as it strives to make headphones for the eyes

Ryan Reynolds' Mint Mobile scooped up by T-Mobile

Google gets AI-friendly with Workspace and Cloud

New threat actor wages espionage campaigns across Central Asia and Eastern Europe

Subscribe to our newsletter