External Threat Management Labs

Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers

One year ago, amid a global pandemic, the UK, US, and Canadian governments issued a joint advisory detailing a Russian espionage campaign that targeted COVID-19 vaccine research efforts in their respective countries. They attributed the campaign to Russia's APT29 (The Dukes, Yttrium, Cozy Bear) and explicitly identified the group as an extension of Russia's Foreign Intelligence Services (SVR). They attributed the malware used in the campaign, known as WellMess and WellMail, with APT29, for the first time publicly. 

Japan's CERT had previously identified WellMess in 2018, though they did so without discussing targeting or associating it with a specific threat actor. In the wake of the 2020 Western governments' report, RiskIQ's Team Atlas expanded the known attacker footprint of the campaign, identifying more than a dozen additional command-and-control servers beyond what was reported.

Now, RiskIQ's Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian heads of state held a summit wherein Russia's aggressive cyber campaigns topped the list of President Biden's strategic concerns. Given this context, RiskIQ’s Team Atlas paid particular attention to APT around and after this summit, which took place on June 16. 

This report will be of particular interest to those tracking APT29 and targets and victims of WellMess/WellMail, who may benefit from the tactical intelligence provided below.

Key Findings

  • Russia's APT29 (The Dukes, Yttrium, Cozy Bear), which the US government associated with Russia's Foreign Intelligence Service, is actively serving malware (WellMess, WellMail) previously used in espionage campaigns targeting COVID-19 research in the UK, US, and Canada.
  • RiskIQ's Team Atlas identified nearly three dozen command-and-control (C2) servers we assessed are under the control of APT29 and serving WellMess.
  • The activity uncovered was notable given the context in which it appeared, coming on the heels of a public reproach of Russian hacking by President Joe Biden in a recent summit with President Vladimir Putin.

Illuminating APT29’s Network Footprint

Because APT29 uses WellMess in a highly targeted fashion, signs of this malware and its C2 servers are relatively rare. Our recent investigation began following a public discourse on Twitter on June 11, 2021:

RiskIQ’s Team Atlas researchers confirmed that the indicators mentioned in the Tweet were associated with APT29 and WellMess. We then found several additional IP addresses and Certificates that closely matched the pattern found on the original IP address mentioned in the Tweet.

Building on that discovery, RiskIQ’s Team Atlas was then able to leverage RiskIQ’s Internet Intelligence Graph to link the following SSL Certificates and IP addresses to APT29 C2 infrastructure with high confidence. The first IP address we recorded with these new SSL Certificate features was spotted on October 9, 2020. However, we established that they go back nearly a week prior after corroborating our findings with external sources.

You can explore the full list of these IOCs in RiskIQ's Threat Intelligence Portal here.

Readers should note that much of this infrastructure is still in active use by APT29, though we do not have enough information to say how it is being used or who the targets are. We also found it noteworthy that many of the newer IP addresses reside in the same Class-C networks as previously disclosed IP addresses.

RiskIQ’s Team Atlas next examined the banners returned from HTTP requests made to the servers in the table above. In doing so, we identified a pattern that linked both the old and new styles of SSL certificates together. It also led our researchers to discover an entirely separate group of malicious certificates and IP addresses that were initially stood up around the same time.

These IOCs are listed in RiskIQ's Threat Intelligence Portal here.

RiskIQ’s Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup. We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples. 

The Hunt Continues

Team Atlas will continue to update the community as we identify additional infrastructure related to this malware. You can explore the IOCs referenced in this article and other known APT29 infrastructure by joining the RiskIQ Community

We also encourage analysts at security companies and those targeted by this threat actor to contact us at atlas@riskiq.net.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor