RiskIQ's Team Atlas has discovered an additional infrastructure that is serving the WellMess and WellMail malware, which was first discovered by Japan CERT in 2018.

What has happened?

Cybersecurity researchers from RiskIQ have unveiled a new C2 infrastructure associated with the Russia-based APT29.
  • A cluster of 30 active C2 servers has been spotted by the researchers. One of the discovered servers happens to be active since October 9, 2020.
  • The IP addresses and certificates provided sufficient confidence to experts to link it with APT29. As of now, it is unknown how these servers are used or who are the real targets.
  • Additionally, a separate group of malicious certificates and newer IP addresses (having the same Class-C networks in previously found IP addresses) were discovered.
  • Although researchers have not provided any information regarding malware that is communicating with this C2 infrastructure, it is likely the same as earlier spotted samples.

Earlier campaigns 

Previously, the WellMess malware has been used in espionage campaigns launched by APT29 to steal intellectual property from various organizations. They were also involved in COVID-19 research based in the U.S., the U.K, and Canada.
  • While investigating the Solarwind supply chain attack, researchers discovered a set of 18 servers connected to about 16,000 systems worldwide, communicating with the APT29.
  • APT29, aka Cozy Bear, was linked to the breach that impacted the systems of the Republican National Committee last w
  • It was APT29 behind breaching the internal network of Dutch police in 2017 while an investigation into the MH-17 crash was still on.

Besides, the APT29 group is known to use multiple tools and techniques to regularly target think tanks, governments, diplomatic agencies, healthcare facilities, and energy firms.

Conclusion

APT29 is infamous for targeted attacks aimed at U.S. organizations. This ongoing campaign exhibits that the group is still actively investing in new infrastructure and planning to carry out more attacks in the future. Therefore, federal agencies and organizations are suggested to stay vigilant, focus on proactive defense strategy, and leverage the IOCs provided in the RiskIQ report.

Cyware Publisher

Publisher

Cyware