Several European governments find themselves on the front lines facing attacks carried out by a Russian hacker group: Winter Vivern. A cell specializing in digital espionage.
Digital security in Europe is once again under threat. After a less than reassuring assessment of cybersecurity in 2022, the trend towards the explosion of cyberattacks continues its momentum. This time, we will review the case of the offensives carried out by the Winter Vivern group, which is currently targeting European government entities. Their technique? Since October 11, they have been exploiting a zero-day flaw in Web Roundcube, a messaging software under the free GPL license, widely used in official institutions.
Winter Vivern, a team of experts
Far from being small-time hackers, Winter Vivern (also known as TA473) show that their skills in social engineering and phishing are cause for concern. Their methodology primarily involves injecting malicious JavaScript code and using carefully prepared HTML messages and SVG files.
To penetrate the targeted systems, they concoct emails that perfectly imitate notification messages from the Outlook team. The recipients automatically trigger a payload (part of malware that performs a harmful action) that directly exploits the vulnerability of Roundcube web servers. The company did not have long to react, and fixed this internal weakness on October 16. Security patches have been deployed to close the XSS (Cross-Site Scripting) flaw, identified under the code name CVE-2023-5631. This was initially spotted by a team of researchers from ESET, a Slovak cybersecurity company.
Thanks to this technique, Winter Vivern managed to steal a good quantity of mail thanks to the compromised servers. ESET experts specify: “
By sending a specially crafted email, attackers can load JavaScript code into the Roundcube user’s browser window “. This JavaScript code, when deployed, can automatically list and extract content from email messages. A serious threat, especially when we know the organizations targeted by the group.
A global threat
The methodology is already worrying, since it is very ingenious. What’s even more interesting are the targets that Winter Vivern is interested in. The group is not new, and has been known since April 2021. SMEs, businesses or other private organizations are not their priority. They are rather known for having infiltrated government entities such as the Vatican, Ukraine, Lithuania, India or Italy. The objectives of this cell would be closely linked to the interests and activities of Russia and Belarus, according to SentinelLabs researchers.
Recently, similar attacks were carried out by other hackers, also Russian, the APT28 group, which is known to be linked to the GRU (Main Intelligence Directorate of the General Staff of the Russian Armed Forces). These particularly targeted servers present in Ukraine. These various intrusions say a lot about the current geopolitical context, and in particular about the very strong tensions between NATO and our big neighbor, Russia. Cyberwar does not kill, at least directly, but it is an urgent reality that the nations involved must face.
Source : Bleeping Computer
9