Russia-aligned ‘Winter Vivern’ hackers spotted targeting Ukraine, Europe, India

A new espionage campaign by a hacking group with suspected ties to Moscow targeted government agencies and telecom operators in Ukraine, India and Europe, researchers said Thursday.

The group, known as Winter Vivern, is “highly creative” and operates with limited resources, carefully selecting targets for attacks, according to an analysis by cybersecurity company SentinelOne. The hackers’ activities appear to support the interests of the Russian and Belarusian governments, especially in relation to the ongoing war in Ukraine, the report says.

Winter Vivern recently targeted various government agencies and private businesses, including telecom companies supporting Ukraine, SentinelOne said. The list includes Polish government agencies, the foreign ministries of Ukraine and Italy, and individuals in the Indian government.

In December, the group also focused on individuals linked to a Ukrainian government website that provides guidance and instructions to Russian and Belarusian soldiers who want to surrender voluntarily during the war in Ukraine.

Analysts began to track Winter Vivern in 2021, but the group — classified as an advanced persistent threat (APT) — had been quiet since then, SentinelOne said. Cybersecurity agencies in Poland and Ukraine collaborated with SentinelOne on the latest research, the company said.

Fake sites, files and more

Winter Vivern hackers used fake websites and distributed malicious documents that were customized to the specific needs of a targeted organization, researchers said. Examples include:

• Attempting to infect Ukrainian government computer systems with malware hosted on websites impersonating legitimate state services.

• Creating a webpage for credential phishing to target users of the email service used by the Indian government.

• Disguising Windows batch files — often used to automate routine tasks or execute a series of commands — as antivirus scanners and using them to download malicious payloads into victims' devices.

One of the malware strains delivered in these attacks is called Aperetif. It is hosted on compromised WordPress websites that are commonly used for malware distribution.

Ukraine’s Computer Emergency Response Team reported in February that this malware allowed hackers to take screenshots of the victim's computer, scan the desktop folder for files with the specified extensions and exfiltrate user data.

A spokesperson for the agency told The Record they could not share details about how many devices were infected or what information was stolen.

It is also unclear how successful the group's attacks were and what damage they caused. SentinelOne did not respond Thursday morning to The Record's request for comment.

The research report said that organizations directly or indirectly involved in the war should be vigilant against the group’s cyberattacks.

“Their ability to lure targets into the attacks and their targeting of governments and high-value private businesses demonstrate the level of sophistication and strategic intent in their operations,” the researchers said.

Experts have warned lately about the potential for Russia-aligned hacking campaigns to increase in intensity as the war in Ukraine drags on.