Dozens of active Cozy Bear C2 servers for data-stealing malware identified

WellMess and WellMail malware strains have been used in espionage campaigns targeting Covid-19 research

Researchers from RiskIQ's Team Atlas claim to have uncovered more than 30 active command-and-control (C2) servers that are being used by Russia-backed advanced persistent threat group APT29 in an active campaign to serve WellMess and WellMail malware.

These two malware strains were previously used in espionage campaigns targeting Covid-19 research in the US, UK and Canada, according to the researchers.

APT29 has predominantly targeted diplomatic, governmental, energy, and healthcare organisations in recent years. It is also known as Cozy Bear, The Dukes, and Yttrium, and is associated with Russia's foreign intelligence service.

APT29 uses WellMess malware in a highly targeted fashion, and finding signs of the malware and its C2 servers are relatively rare, the researchers said.

In July last year, UK's National Cyber Security Centre (NCSC) issued an alert warning that APT29 was targeting British labs in efforts to "steal valuable intellectual property" on Covid-19 vaccines. The NCSC said that the group was specifically targeting biomedical research organisations through WellMail and WellMess malware, with the intent of stealing information related to the development and testing of coronavirus vaccines.

The US and Canada, whose labs were also targeted by hackers, also backed the NCSC's assessment.

"The group frequently uses publicly available exploits to conduct widespread scanning and exploitation against vulnerable systems, likely in an effort to obtain authentication credentials to allow further access," the NCSC said.

Team Atlas' recent investigation into APT29 began following a public disclosure on Twitter last month, in which a security researcher 'm4lWatch', said a new WellMess C2 server had been identified.

Following an initial analysis, Team Atlas confirmed that the indicators mentioned in the tweet were indeed linked with APT29 and WellMess.

After that, the researchers also discovered many IP addresses and certificates that matched the pattern found on the IP address mentioned in m4lWatch's tweet.

These IP addresses were attributed, with high confidence, to APT29 C2 infrastructure.

"RiskIQ's Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup," said Kevin Livelli, director of threat intelligence at RiskIQ Team Atlas.

The researchers warn that the infrastructure is being used in ongoing attacks, although they don't have enough information at this time to say how Russian hackers have been using the infrastructure or who the targets are.

The activity uncovered by RisqIQ cyber security researchers is notable as it comes about a month after US President Biden told Russian President Vladimir Putin in a summit that he expected Russia to take action against cyber criminals operating within its territory.

Biden warned his Russian counterpart that the US has "significant cyber capability", which could be used in offensive cyber operations in the future unless Russia clamps down on hackers targeting US entities.

Putin denied that Russia was protecting ransomware operatives. He refused to answer questions about recent attacks on US entities, but said his talks with President Biden were "quite constructive" and that both of them "spoke the same language."