SalesTech Star

RiskIQ Uncovers Infrastructure Patterns Leading to 35 Active Russian APT29, aka Cozy Bear, C2 Servers

RiskIQ, a leader in internet security intelligence, has uncovered more than 30 active command and control (C2) servers under the control of APT29 (The Dukes, Yttrium, Cozy Bear), which the US government associates with Russia’s Foreign Intelligence Service (SVR), actively serving malware (WellMess, WellMail). This malware was previously used in espionage campaigns targeting COVID-19 research in the UK, US, and Canada.

Read More: SalesTechStar Interview With Sudhir Agarwal, Founder And CEO At Everise

The report will be of particular interest to those tracking APT29 and targets and victims of WellMess/WellMail malware, who may benefit from the tactical intelligence, including APT29’s network footprint, SSL certifications, and IP addresses.

Key Findings

  • Russia’s APT29, which the US government associated with Russia’s foreign intelligence service, is actively serving malware (WellMess, WellMail) previously used in espionage campaigns targeting COVID-19 research in the UK, US, and Canada.
  • RiskIQ’s Team Atlas identified nearly three dozen C2 servers we assessed are under the control of APT29 and serving WellMess.
  • The activity uncovered was notable given the context in which it appeared, coming on the heels of a public reproach of Russian hacking by President Joe Biden in a recent summit with President Vladimir Putin.

One year ago, amid a global pandemic, the UK, US, and Canadian governments issued a joint advisory detailing a Russian espionage campaign that targeted COVID-19 vaccine research efforts in their respective countries. They attributed the campaign to APT29 and explicitly identified the group as an extension of the SVR. They attributed the malware used in the campaign, known as WellMess and WellMail, with APT29, for the first time publicly.

Read More: Fabric Hires Tyler Nemiro As VP Of Enterprise Sales

Only one month ago, the American and Russian heads of state held a summit wherein Russia’s aggressive cyber campaigns topped the list of President Biden’s strategic concerns. Given this context, RiskIQ’s Threat Intelligence Team Atlas paid particular attention to APT29 activity around and after this summit, which took place on June 16.

“RiskIQ’s Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup,” said Kevin Livelli, Director of Threat Intelligence, RiskIQ Team Atlas. “We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples.”

RiskIQ’s Team Atlas will continue to update the community as they identify additional infrastructure related to this malware.

Read More: Public Pricing Is Revolutionizing The Real Estate Sales Process

Write in to to learn more about our exclusive editorial packages and programs.