RiskIQ Uncovers Infrastructure Patterns Leading to 35 Active Russian APT29, aka Cozy Bear, C2 Servers
RiskIQ, a leader in internet security intelligence, has uncovered more than 30 active command and control (C2) servers under the control of APT29 (The Dukes, Yttrium, Cozy Bear), which the US government associates with Russia’s Foreign Intelligence Service (SVR), actively serving malware (WellMess, WellMail). This malware was previously used in espionage campaigns targeting COVID-19 research in the UK, US, and Canada.
The report will be of particular interest to those tracking APT29 and targets and victims of WellMess/WellMail malware, who may benefit from the tactical intelligence, including APT29’s network footprint, SSL certifications, and IP addresses.
- Russia’s APT29, which the US government associated with Russia’s foreign intelligence service, is actively serving malware (WellMess, WellMail) previously used in espionage campaigns targeting COVID-19 research in the UK, US, and Canada.
- RiskIQ’s Team Atlas identified nearly three dozen C2 servers we assessed are under the control of APT29 and serving WellMess.
- The activity uncovered was notable given the context in which it appeared, coming on the heels of a public reproach of Russian hacking by President Joe Biden in a recent summit with President Vladimir Putin.
One year ago, amid a global pandemic, the UK, US, and Canadian governments issued a joint advisory detailing a Russian espionage campaign that targeted COVID-19 vaccine research efforts in their respective countries. They attributed the campaign to APT29 and explicitly identified the group as an extension of the SVR. They attributed the malware used in the campaign, known as WellMess and WellMail, with APT29, for the first time publicly.
Only one month ago, the American and Russian heads of state held a summit wherein Russia’s aggressive cyber campaigns topped the list of President Biden’s strategic concerns. Given this context, RiskIQ’s Threat Intelligence Team Atlas paid particular attention to APT29 activity around and after this summit, which took place on June 16.
“RiskIQ’s Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup,” said Kevin Livelli, Director of Threat Intelligence, RiskIQ Team Atlas. “We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples.”
RiskIQ’s Team Atlas will continue to update the community as they identify additional infrastructure related to this malware.