Researchers revealed on Friday the new command-and-control (C2) infrastructure of the Russian state-controlled actor APT29 that is now actively serving WellMess malware.
Over 30 C2 servers were discovered by Microsoft-owned RiskIQ cybersecurity company during an analysis of infrastructure operated by hackers working for Russia’s Foreign Intelligence Service.
APT29 is believed to have been responsible for the massive SolarWinds supply-chain attack on US companies late last year.
The actor is being tracked by various companies under various codenames, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).
The APT is targeting victims with WellMess (aka WellMail) malware, which was first identified by Japan’s JPCERT/CC in 2018. The malware was used in espionage campaigns to steal intellectual property from various organizations involved in the development of COVID-19 vaccines and other drugs.
“The group uses a variety of tools and techniques to predominantly target governmental, diplomatic, think-tank, healthcare and energy targets for intelligence gain,” the U.K.’s National Cyber Security Centre (NCSC) noted in an advisory published in 2020.
RiskIQ discovered a cluster of 30 active WellMess C2 servers in June, one of which is believed to have been used by APT29 as early as October 9, 2020.
Previously, in April, the company identified 18 command-and-control servers that were part of the infrastructure for the SolarWinds attacks.
“RiskIQ’s Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29,” said Kevin Livelli, RiskIQ’s director of threat intelligence. “We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples.”