Low-Budget 'Winter Vivern' APT Awakens After 2-Year Hibernation

The "underreported" APT has returned to focus after attacks promoting Russian and Belarusian government interests and going after targets with humor, zest, and scrappiness.

4 Min Read
stone carving architectural detail of a wyvern in Madrid, Spain
Source: Album via Alamy Stock Photo

A politically motivated cyber threat that's hardly discussed in the public sphere has made a sort of comeback in recent months, with campaigns against government agencies and individuals in Italy, India, Poland, and Ukraine.

"Winter Vivern" (aka UAC-0114) has been active since at least December 2020. Analysts tracked its initial activity in 2021, but the group has remained out of the public eye in the years since. That is, until attacks against Ukrainian and Polish government targets inspired reports on resurgent activity earlier this year from the Central Cybercrime Bureau of Poland, and the State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine.

In a follow-on analysis published this week, Tom Hegel, senior threat researcher at SentinelOne, further elucidated the group's TTPs and emphasized its close alignment "with global objectives that support the interests of Belarus and Russia's governments," noting that it should be classified as an advanced persistent threat (APT) even though its resources aren't on the par of its other Russian-speaking peers.

Winter Vivern, a 'Scrappy' Threat Actor

Winter Vivern, whose name is a derivative of the wyvern, a type of biped dragon with a poisonous, pointed tail "falls into a category of scrappy threat actors," Hegel wrote. They're "quite resourceful and able to accomplish a lot with potentially limited resources, while willing to be flexible and creative in their approach to problem solving."

The group's most defining characteristic is its phishing lures — usually documents mimicking legitimate and publicly available government literature, which drop a malicious payload upon being opened. More recently, the group has taken to mimicking government websites to distribute their nasties. Vivern has a sense of humor, mimicking homepages belonging to the primary cyber-defense agencies of Ukraine and Poland, as seen below.

Homepages belonging to the primary cyber-defense agencies of Ukraine and Poland

The group's most tongue-in-cheek tactic, though, is to disguise its malware as antivirus software. Like their many other campaigns, "the fake scanners are pitched through email to targets as government notices," Hegel tells Dark Reading.

These notices instruct recipients to scan their machines with this supposed antivirus software. Victims who download the fake software from the fake government domain will see what appears to be an actual antivirus running, when, in fact, a malicious payload is being downloaded in the background.

That payload, in recent months, has commonly been Aperitif, a Trojan that collects details about victims, establishes persistence on a target machine, and beacons out to an attacker-controlled command-and-control server (C2).

The group employs many other tactics and techniques, too. In a recent campaign against Ukraine's I Want to Live hotline, they resorted to an old favorite: a macro-enabled Microsoft Excel file.

And "when the threat actor seeks to compromise the organization beyond the theft of legitimate credentials," Hegel wrote in his post, "Winter Vivern tends to rely on shared toolkits and the abuse of legitimate Windows tools."

Winter Vivern, APT, or Hacktivists?

The Winter Vivern story is scattershot and leads to a somewhat confused profile.

Its targets are pure APT: Early in 2021, researchers from DomainTools were parsing Microsoft Excel documents using macros when they came upon one with a rather innocuous name: "contacts." The contacts macro dropped a PowerShell script that contacted a domain that'd been active since December 2020. Upon further investigation, the researchers discovered more than they'd bargained for: other malicious documents targeting entities within Azerbaijan, Cyprus, India, Italy, Lithuania, Ukraine, and even the Vatican.

The group was clearly still active by the summertime, when Lab52 published news of an ongoing campaign matching the same profile. But it wasn't until January 2023 that it resurfaced in the public eye, following campaigns against individual members of the Indian government, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and other European government agencies.

"Of particular interest," Hegel noted in his blog post, "is the APT's targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war."

This special emphasis on Ukraine adds intrigue to the story since, as recently as February, the Ukraine government was only able to conclude "with a high level of confidence" that "Russian-speaking members are present" within the group. Hegel has now gone a step further, by directly correlating the group with Russian and Belarusian state interests.

"With the potential ties into Belarus, it's challenging to determine if this is a new organization or simply new tasking from those we know well," Hegel tells Dark Reading.

Even so, the group doesn't fit the profile of a typical nation-state APT. Their lack of resources, their "scrappiness" — relative to their heavy-hitting counterparts like Sandworm, Cozy Bear, Turla, and others — place them in a category nearer to more ordinary hacktivism. "They do possess technical skills to accomplish initial access, however, at this time they don't stack up to highly novel Russian actors," Hegel says.

Beyond the limited capacities, "their very limited set of activity and targeting is why they are so unknown in the public," Hegel says. It may be in Winter Vivern's favor, in the end. So long as it lacks that extra bite, it may continue to fly under the radar.

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights