'Winter Vivern' Hackers Target NATO Officials with Zimbra Vulnerability Exploit
Category: Threat Actor Activity | Industries: Government, Military | Level: Strategic | Source: Proofpoint
Since February 2023, Russian-aligned hacking group TA473 or 'Winter Vivern' has been exploiting the Zimbra vulnerability CVE-2022-27926 targeting publicly facing Zimbra-hosted webmail portals. Their main objective is to steal sensitive emails belonging to government officials, military personnel, diplomats, and NATO members who are associated with the Russian and Ukrainian war. Proofpoint researchers report Winter Vivern actors' campaign against military and government officials began by using scanning tools such as Acunetix to scan for vulnerable targets. Following their reconnaissance efforts, they sent phishing emails from compromised addresses spoofed to appear as legitimate accounts the target knows or someone relevant to their organization. "Often targeted individuals are experts in facets of European politics or economy as it pertains to regions impacted by the ongoing conflict. Social engineering lures and impersonated organizations often pertain to Ukraine in the context of armed conflict," said by ProofPoint.