Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian risk actor tracked as APT29, aka Cozy Bear, that has been spotted actively serving WellMess malware as section of an ongoing assault marketing campaign.
Additional than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ reported in a report shared with The Hacker News.
APT29, the moniker assigned to govt operatives doing work for Russia’s Foreign Intelligence Support (SVR), is considered to have been the mastermind driving the significant SolarWinds provide chain attack that arrived to gentle late final yr, with the U.K. and U.S. governments formally pinning the intrusions on Russia previously this April.
The action is currently being tracked by the cybersecurity community less than various codenames, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dim Halo (Volexity), and Iron Ritual (Secureworks), citing variations in the tactics, strategies, and techniques (TTPs) utilized by the adversary with that of acknowledged attacker profiles, counting APT29.
To start with determined by Japan’s JPCERT/CC in 2018, WellMess (aka WellMail) has been earlier deployed in espionage strategies carried out by the danger actor to plunder mental residence from multiple corporations associated in COVID-19 study and vaccine progress in the U.K., U.S., and Canada.
“The team utilizes a wide range of tools and tactics to predominantly target governmental, diplomatic, think-tank, health care and electricity targets for intelligence acquire,” the U.K.’s Countrywide Cyber Security Centre (NCSC) pointed out in an advisory posted in July 2020.
RiskIQ explained it commenced its investigation into APT29’s assault infrastructure subsequent a general public disclosure about a new WellMess C2 server on June 11, foremost to the discovery of a cluster of no fewer than 30 lively C2 servers. A person of the servers is believed to have been active as early as October 9, 2020, though it’s not very clear how these servers are becoming made use of or who the targets are.
This is not the to start with time RiskIQ has recognized the command-and-control footprint associated with the SolarWinds hackers. In April, it unearthed an additional set of 18 servers with large confidence that possible communicated with the focused, secondary Cobalt Strike payloads shipped by way of the TEARDROP and RAINDROP malware deployed in the assaults.
“RiskIQ’s Staff Atlas assesses with higher assurance that these IP addresses and certificates are in lively use by APT29,” said Kevin Livelli, RiskIQ’s director of threat intelligence. “We have been not able to locate any malware which communicated with this infrastructure, but we suspect it is possible comparable to previously recognized samples.”