Cybersecurity researchers on Friday unmasked new command-and-manage (C2) infrastructure belonging to the Russian risk actor tracked as APT29, aka Cozy Bear, that has been noticed actively serving WellMess malware as element of an ongoing attack marketing campaign.
A lot more than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ claimed in a report shared with The Hacker Information.
APT29, the moniker assigned to federal government operatives performing for Russia’s International Intelligence Provider (SVR), is thought to have been the mastermind at the rear of the significant SolarWinds supply chain attack that arrived to light late very last yr, with the U.K. and U.S. governments formally pinning the intrusions on Russia previously this April.
The exercise is getting tracked by the cybersecurity community underneath different codenames, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks), citing discrepancies in the methods, approaches, and processes (TTPs) used by the adversary with that of known attacker profiles, counting APT29.
To start with identified by Japan’s JPCERT/CC in 2018, WellMess (aka WellMail) has been beforehand deployed in espionage strategies carried out by the menace actor to plunder mental residence from several corporations involved in COVID-19 exploration and vaccine improvement in the U.K., U.S., and Canada.
“The group takes advantage of a variety of tools and strategies to predominantly focus on governmental, diplomatic, think-tank, healthcare and vitality targets for intelligence attain,” the U.K.’s Nationwide Cyber Security Centre (NCSC) famous in an advisory printed in July 2020.
RiskIQ explained it commenced its investigation into APT29’s attack infrastructure next a general public disclosure about a new WellMess C2 server on June 11, primary to the discovery of a cluster of no less than 30 active C2 servers. One particular of the servers is considered to have been energetic as early as Oct 9, 2020, whilst it is really not distinct how these servers are becoming utilized or who the targets are.
This is not the to start with time RiskIQ has determined the command-and-handle footprint linked with the SolarWinds hackers. In April, it unearthed an supplemental set of 18 servers with high confidence that very likely communicated with the specific, secondary Cobalt Strike payloads delivered through the TEARDROP and RAINDROP malware deployed in the attacks.
“RiskIQ’s Crew Atlas assesses with higher self-confidence that these IP addresses and certificates are in lively use by APT29,” mentioned Kevin Livelli, RiskIQ’s director of danger intelligence. “We ended up unable to track down any malware which communicated with this infrastructure, but we suspect it is very likely equivalent to earlier determined samples.”
Uncovered this report fascinating? Abide by THN on Fb, Twitter and LinkedIn to read through extra unique information we post.
Some areas of this post are sourced from: