Skip to content
WINTER IS COMING

Pro-Russian hackers target elected US officials supporting Ukraine

Group tracked since 2021 exploits unpatched Zimbra servers to hack email accounts.

Dan Goodin | 36
Locked out. Credit: Sean Gladwell / Getty Images

Threat actors aligned with Russia and Belarus are targeting elected US officials supporting Ukraine, using attacks that attempt to compromise their email accounts, researchers from security firm Proofpoint said.

The campaign, which also targets officials of European nations, uses malicious JavaScript that’s customized for individual webmail portals belonging to various NATO-aligned organizations, a report Proofpoint published Thursday said. The threat actor—which Proofpoint has tracked since 2021 under the name TA473—employs sustained reconnaissance and painstaking research to ensure the scripts steal targets’ usernames, passwords, and other sensitive login credentials as intended on each publicly exposed webmail portal being targeted.

Tenacious targeting

“This actor has been tenacious in its targeting of American and European officials as well as military and diplomatic personnel in Europe,” Proofpoint threat researcher Michael Raggi wrote in an email. “Since late 2022, TA473 has invested an ample amount of time studying the webmail portals of European government entities and scanning publicly facing infrastructure for vulnerabilities all in an effort to ultimately gain access to emails of those closely involved in government affairs and the Russia-Ukraine war.”

Raggi declined to identify the targets except to say they included elected US officials and staffers at the federal government level as well as European entities. “In several instances among both US and European targeted entities, the individuals targeted by these phishing campaigns are vocal supporters of Ukraine in the Russia/Ukraine War and/or involved in initiatives pertaining to the support of Ukraine on an international stage,” he added.

Ars Video

 

Most of the recent attacks observed by Proofpoint exploited a vulnerability in outdated versions of Zimbra Collaboration, a software package used to host webmail portals. Tracked as CVE-2022-27926 and patched last March, the vulnerability is a cross-site scripting flaw that makes it possible for unauthenticated attackers to execute malicious Web scripts on servers by sending specially crafted requests. The attacks work only against Zimbra servers that have yet to install the patch.

The campaign begins with the use of scanning tools such as Acunetix to identify unpatched portals belonging to groups of interest. TA473 members then deliver phishing emails purporting to contain information of interest to the recipients.

A partially redacted phishing email TA473 sent to a target.
A partially redacted phishing email TA473 sent to a target. Credit: Proofpoint

The emails are sent from compromised email addresses that often originate from unpatched or otherwise vulnerable WordPress-hosted domains. The sender of the emails is spoofed to appear as a person or organization the target interacts with during the regular scope of their positions. The body of the emails contains a benign URL, but when clicked, the hyperlink leads to a URL hosting JavaScript that exploits the Zimbra vulnerability.

This first-stage script downloads a second-stage JavaScript that’s tailored to the individual web portal that performs a cross-site request forgery. This CSRF captures the target’s username, password, and authentication token. To conceal itself, the malicious JavaScript incorporates the legitimate JavaScript code that executes in a native webmail portal.

A diagram of a CSRF exploit used by TA473.
A diagram of a CSRF exploit used by TA473. Credit: Proofpoint

The process was described in further detail in Thursday’s post:

Proofpoint researchers have identified several instances of what appear to be customized CSRF JavaScript payloads with delivery achieved through both the above-mentioned CVE-2022-27926 exploitation and earlier delivery mechanisms, such as TA473-controlled infrastructure delivery stemming from the hyperlink of benign URLs in the body of the phishing email. These CSRF JavaScript code blocks are executed by the server that hosts a vulnerable webmail instance. Further, this JavaScript replicates and relies on emulating the JavaScript of the native webmail portal to return key web request details that indicate the username, password, and CSRF token of targets. In some instances, researchers observed TA473 specifically targeting RoundCube webmail request tokens as well. This detailed focus on which webmail portal is being run by targeted European government entities indicates the level of reconnaissance that TA473 conducts prior to delivering phishing emails to organizations. These next-stage TA473 CSRF JavaScript payloads also utilize several layers of Base64 encoding to obfuscate the functionality of the JavaScript. The actor inserts three nested instances of Base64 encoded JavaScript to complicate analysis of these delivered payloads. However, decoding the script is trivial to reveal the intended malicious functionality.

One malicious piece of JavaScript delivered in February had the following capabilities:

  • Steal usernames
  • Steal user's password
  • Steal an active CSRF token from a cookie in the web request response
  • Cache the stolen values to the actor-controlled server
  • Attempt login to the legitimate mail portal with active tokens
  • The script utilizes the additional URLs in its functionality:
    • Displays Pop3 and IMAP instructions hosted on actor-controlled server
    • Attempts logins to legitimate webmail portal via the native URL

Researchers at other security firms track TA473 as Winter Vivern, a name coined by researchers from DomainTools and taken from the file path an early piece of the group’s malware used when communicating with control servers. Vivern appears to be a variation of wyvern, a mythological biped dragon with wings and a barbed tail.

Researchers from security firms Lab52 and SentinelLabs have also profiled the group. All four security firms that have followed Winter Vivern agree: What the group lacks in funding and advanced techniques, it makes up for with persistence and deep and careful research.

“While TA473 does not lead the pack in sophistication among APT threats targeting the European cyber landscape, they demonstrate focus, persistence, and a repeatable process for compromising geopolitically exposed targets,” Proofpoint wrote. “Like a Vivern in medieval winter, despite having only two legs and a pair of wings, this is likely a threat that will persist year-round.”

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
36 Comments