‘Winter Vivern’ Hackers Target Pro-Ukraine Telcos

American cybersecurity business SentinelOne has reported that the Winter Vivern Advanced Persistent Threat (APT) is behind a series of espionage campaigns aimed at various organizations, including telcos, that have been supportive of Ukraine.

Our analysis of Winter Vivern’s past activity indicates that the APT has targeted various government organizations since 2021, including those in Lithuania, India, Vatican, and Slovakia.

Recently linked campaigns reveal that Winter Vivern has targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government. Of particular interest is the APT’s targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war.

There is little doubt about who the hackers are working for.

Our analysis indicates that Winter Vivern’s activities are closely aligned with global objectives that support the interests of Belarus and Russia’s governments.

The hackers combine several well-known methods to craft attacks that are particular to their targets.

The threat actor employs various tactics, such as phishing websites, credential phishing, and deployment of malicious documents, that are tailored to the targeted organization’s specific needs.

One attack focused on email in India.

In mid 2022 the attackers also made an interesting, lesser observed, use of government email credential phishing webpages. One example is ocspdep[.]com, which was used in targeting users of the Indian government’s legitimate email service email.gov.in.

The hackers have also gone after security agencies.

In early 2023, Winter Vivern targeted specific government websites by creating individual pages on a single malicious domain that closely resembled those of Poland’s Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine.

The phishing site for the Polish cybercrime bureau is pictured above.

SentinelOne’s warning serves as a reminder that telcos are on the front line of the new Cold War, plus any hot wars that now arise. Telcos are a valuable source of data, making them an appealing target for spies. A great deal of harm can also be caused by disrupting communication services. However, a string of disclosures about data breaches and SIM swap crimes reveal that many telco employees keep falling for deceptions involve phishing and spearphishing. It is not good enough to profess that ‘anyone’ can be fooled. More needs to be done to educate telco staff. System access must also be limited, even for systems that are usually assigned a low priority like those used to store data for marketing. We need to work responsibly to limit the leakage of data by trusting it only to employees who have demonstrated they understand the risk of being targeted by state-sponsored and freelance hackers.

The war in Ukraine and its impact on comms providers will be discussed with Cathal Mc Daid, CTO of Enea AdaptiveMobile Security, and the guest for today’s episode of The Communications Risk Show. Watch the livestream and submit your questions for Cathal from 4pm GMT at tv.commsrisk.com. If you cannot join us live then the recording will be available for replay soon after the broadcast has ended.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.