Security News > 2023 > April > Phishing from threat actor TA473 targets US and NATO officials
A new Proofpoint report indicates that in late 2022, threat actor TA473 targeted elected officials and staffers in the U.S., as well as experts in European politics and economics.
TA473 is a threat actor, known since 2021, that has targeted several countries aligned against the interests of Belarus and Russia; the group is also known as Winter Vivern for some security companies and governmental entities.
The threat actor mostly creates phishing campaigns to deliver payloads and harvest credentials.
TA473 often sends emails from compromised email addresses, originating from unpatched or insecure WordPress-hosted domains.
Figure A. In some cases, TA473 uses structured URI paths that indicate a hashed value for the targeted individual, an unencoded indication of the targeted organization, and encoded or plaintext versions of the benign URL that was hyperlinked in the initial email to targets.
Proofpoint has observed that the threat actor sometimes targets specific RoundCube webmail request tokens as well, which reveals that the threat actor has already done reconnaissance on the target prior to attacking it.