Cybersecurity scientists on Friday unmasked new command-and-manage (C2) infrastructure belonging to the Russian risk actor tracked as APT29, aka Cozy Bear, that has been noticed actively serving WellMess malware as aspect of an ongoing assault campaign.
Far more than 30 C2 servers operated by the Russian international intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ said in a report shared with The Hacker Information.
APT29, the moniker assigned to authorities operatives performing for Russia’s Foreign Intelligence Service (SVR), is thought to have been the mastermind driving the huge SolarWinds supply chain attack that came to gentle late previous year, with the U.K. and U.S. governments formally pinning the intrusions on Russia before this April.
The activity is getting tracked by the cybersecurity neighborhood below various codenames, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Darkish Halo (Volexity), and Iron Ritual (Secureworks), citing distinctions in the ways, methods, and procedures (TTPs) employed by the adversary with that of regarded attacker profiles, counting APT29.
Initially identified by Japan’s JPCERT/CC in 2018, WellMess (aka WellMail) has been formerly deployed in espionage campaigns undertaken by the menace actor to plunder intellectual residence from multiple companies associated in COVID-19 investigation and vaccine growth in the U.K., U.S., and Canada.
“The group takes advantage of a range of resources and techniques to predominantly concentrate on governmental, diplomatic, assume-tank, healthcare and energy targets for intelligence get,” the U.K.’s Nationwide Cyber Safety Centre (NCSC) noted in an advisory printed in July 2020.
RiskIQ explained it began its investigation into APT29’s attack infrastructure subsequent a general public disclosure about a new WellMess C2 server on June 11, primary to the discovery of a cluster of no less than 30 active C2 servers. Just one of the servers is believed to have been active as early as October 9, 2020, though it can be not clear how these servers are remaining utilized or who the targets are.
This is not the 1st time RiskIQ has discovered the command-and-regulate footprint involved with the SolarWinds hackers. In April, it unearthed an supplemental established of 18 servers with substantial self-confidence that very likely communicated with the focused, secondary Cobalt Strike payloads shipped via the TEARDROP and RAINDROP malware deployed in the assaults.
“RiskIQ’s Workforce Atlas assesses with substantial self esteem that these IP addresses and certificates are in energetic use by APT29,” reported Kevin Livelli, RiskIQ’s director of menace intelligence. “We were not able to identify any malware which communicated with this infrastructure, but we suspect it is probable identical to previously identified samples.”