Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian risk actor tracked as APT29, aka Cozy Bear, that has been noticed actively serving WellMess malware as a part of an ongoing assault marketing campaign.
Greater than 30 C2 servers operated by the Russian international intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQin a report shared with The Hacker Information.
APT29, the moniker assigned to authorities operatives working for Russia’s Overseas Intelligence Service (SVR), is believed to have been thethat got here to gentle late final yr, with the U.Ok. and U.S. governments formally pinning the intrusions on Russia earlier this April.
The exercise is being tracked by the cybersecurity group beneath numerous codenames, together with UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Darkish Halo (Volexity), and Iron Ritual (Secureworks), citing variations within the techniques, methods, and procedures (TTPs) employed by the adversary with that of identified attacker profiles, counting APT29.
First recognized by Japan’sin 2018, WellMess (aka WellMail) has been beforehand deployed in undertaken by the risk actor to plunder mental property from a number of organizations concerned in COVID-19 analysis and vaccine growth within the U.Ok., U.S., and Canada.
“The group makes use of quite a lot of instruments and methods to predominantly goal governmental, diplomatic, think-tank, healthcare and power targets for intelligence achieve,” the U.Ok.’s Nationwide Cyber Safety Centre (NCSC)in an advisory revealed in July 2020.
RiskIQ stated it started its investigation into APT29’s assault infrastructure following aa few new WellMess C2 server on June 11, resulting in the invention of a cluster of no fewer than 30 lively C2 servers. One of many servers is believed to have been lively as early as October 9, 2020, though it is not clear how these servers are getting used or who the targets are.
This isn’t the primary time RiskIQ has recognized the command-and-control footprint related to the SolarWinds hackers. In April, it unearthed anwith excessive confidence that seemingly communicated with the focused, secondary Cobalt Strike payloads delivered by way of the TEARDROP and RAINDROP malware deployed within the assaults.
“RiskIQ’s Crew Atlas assesses with excessive confidence that these IP addresses and certificates are in lively use by APT29,” stated Kevin Livelli, RiskIQ’s director of risk intelligence. “We have been unable to find any malware which communicated with this infrastructure, however we suspect it’s seemingly just like beforehand recognized samples.”