RiskIQ Uncovers Infrastructure Patterns Leading to 35 Active Russian APT29, aka Cozy Bear, C2 Servers
July 30, 2021
San Francisco, CA, July 30, 2021 – RiskIQ, a leader in internet security intelligence, has uncovered more than 30 active command and control (C2) servers under the control of APT29 (The Dukes, Yttrium, Cozy Bear), which the US government associates with Russia’s Foreign Intelligence Service (SVR), actively serving malware (WellMess, WellMail). This malware was previously used in espionage campaigns targeting COVID-19 research in the UK, US, and Canada.
The report will be of particular interest to those tracking APT29 and targets and victims of WellMess/WellMail malware, who may benefit from the tactical intelligence, including APT29’s network footprint, SSL certifications, and IP addresses.
- Russia's APT29, which the US government associated with Russia's foreign intelligence service, is actively serving malware (WellMess, WellMail) previously used in espionage campaigns targeting COVID-19 research in the UK, US, and Canada.
- RiskIQ's Team Atlas identified nearly three dozen C2 servers we assessed are under the control of APT29 and serving WellMess.
- The activity uncovered was notable given the context in which it appeared, coming on the heels of a public reproach of Russian hacking by President Joe Biden in a recent summit with President Vladimir Putin.
One year ago, amid a global pandemic, the UK, US, and Canadian governments issued a joint advisory detailing a Russian espionage campaign that targeted COVID-19 vaccine research efforts in their respective countries. They attributed the campaign to APT29 and explicitly identified the group as an extension of the SVR. They attributed the malware used in the campaign, known as WellMess and WellMail, with APT29, for the first time publicly.
Only one month ago, the American and Russian heads of state held a summit wherein Russia's aggressive cyber campaigns topped the list of President Biden's strategic concerns. Given this context, RiskIQ’s Threat Intelligence Team Atlas paid particular attention to APT29 activity around and after this summit, which took place on June 16.
“RiskIQ’s Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup,” said Kevin Livelli, Director of Threat Intelligence, RiskIQ Team Atlas. “We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples.”
RiskIQ’s Team Atlas will continue to update the community as they identify additional infrastructure related to this malware. You can read the full article here and explore the IOCs from the investigation and other known APT29 infrastructure by joining the RiskIQ Community.
RiskIQ’s Team Atlas encourages analysts at security companies and those targeted by this threat actor to contact us at firstname.lastname@example.org.
RiskIQ is a leader in internet security intelligence, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 75% of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social and mobile exposures. Trusted by security teams, CISOs, and more than 100,000 security analysts, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk, and take action to protect the business, brand, and customers. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners, NationalGrid Partners, and MassMutual Ventures.
© 2021 RiskIQ, Inc. All rights reserved. RiskIQ is a registered trademark of RiskIQ, Inc. in the United States and other countries. All other trademarks contained herein are the property of their respective owners.
Front Lines Media