Researchers Find More Servers Tied to Russian-Linked AttacksRiskIQ: APT29 Using Infrastructure to Deliver Malware to Targets
Researchers at the security firm RiskIQ have uncovered about 35 active command-and-control servers connected with an ongoing malware campaign that has been linked to a Russian-speaking attack group known as APT29 or Cozy Bear.
These servers, which are located in the U.S., Austria, Bulgaria, Switzerland, Germany, Denmark, France, Hong Kong, Japan and nearly a dozen other countries, are used to host custom malware called WellMess and WellMail, RiskIQ says in a report released Friday. These malware strains have previously been deployed to target research organizations developing COVID-19 vaccines, the researchers note.
The COVID-19 research facilities originally targeted by APT29 were located in the U.S., the U.K. and Canada. These countries issued a joint alert about the campaign in June 2020 (see: US, UK, Canada: Russian Hackers Targeting COVID-19 Research).
Kevin Livelli, the director of threat intelligence for RiskIQ's Team Atlas, says that it's not clear whether the attackers are still targeting COVID-19 research facilities or have turned their attention elsewhere.
"We know - based on how the servers are configured - that they are designed to work with WellMess and WellMail malware," Livelli says. "However, we don't know where that malware is being targeted, nor whom the victims may be."
RiskIQ researchers have attempted to contact those service providers that the attackers use to host this infrastructure, Livelli says.
APT29 and Russia
The National Security Agency has reported that APT29 is an attack group that works within Russia's Foreign Intelligence Service, aka SVR. The group has been associated with numerous high-profile campaigns targeting many organizations worldwide.
These campaigns include the intrusion against the Democratic National Committee in 2016, and, more recently, the supply chain attack that targeted SolarWinds, which led to follow-on attacks on about 100 companies and at least nine federal agencies (see: US Pulls Back Curtain on Russian Cyber Operations).
The White House issued sanctions against the Russian government for the SolarWinds attack and election interference. And Biden brought up these cybersecurity incidents at his June summit meeting with Russian President Vladimir Putin (see: Analysis: The Cyber Impact of Biden/Putin Summit Meeting).
Nevertheless, the cyber activities of APT 29 and the SVR apparently have continued.
Tracking the Servers
In April, RiskIQ researchers discovered about a dozen command-and-control servers tied to the SolarWinds campaign and used to deliver second- and third-stage malware as part of those attacks.
The 35 or so active servers identified in the new RiskIQ report, however, were associated with the 2020 attacks on the COVID-19 research facilities and not the SolarWinds campaign.
"These are separate campaigns, using separate malware and infrastructure," Livelli says. "But we feel they are the work of the same threat actor."
Although RiskIQ has previously identified some of the infrastructure used by APT29 to target the COVID-19 research facilities in 2020, the company's analysts were tipped off by a Twitter post from an independent security researcher on June 11 that additional command-and-control servers associated with the campaign were still active and capable of delivering WellMess and WellMail malware, according to the new report.
From there, the RiskIQ researchers were able to match other IP addresses and Secure Sockets Layer certificates to the ones mentioned in the tweet, the report notes. The analysts then began identifying newly discovered IP addresses and SSL certificates associated with servers previously used with the APT29 campaign targeting COVID-19 research facilities.
Targeting Research Facilities
The RiskIQ team has "high confidence" that the approximately 35 servers it found are connected to the APT29 campaign against the research facilities, according to the report.
"We made that assessment based on patterns that we discerned were present in the infrastructure, which we and others previously associated with the group," Livelli says. "For example, the servers were configured to communicate with WellMess and WellMail malware, which the U.S., U.K., and Canadian governments have assessed to be custom malware used by APT29. The responses we got from HTTP servers, in combination with the use of SSL certificates, were another way in which we could establish patterns and associate our findings with known APT29 activity."
Many of the server's IP addresses were first spotted in the wild in January, although some have since gone offline, according to the report.
Step by Step
As part of the campaign against the COVID-19 research organizations, the APT29 attackers first attempted to take advantage of well-known vulnerabilities in several remote access tools, such as PulseSecure VPNs and Citrix products, to gain an initial foothold within a network, according to government alerts.
From there, the attackers would deploy other malware, such as WellMess, which allows a remote operator to establish encrypted command-and-control sessions and to pass and execute scripts on an infected system securely, according to an alert from the Cybersecurity and Infrastructure Security Agency. Once established, the malware could then target an organization's Active Directory servers to gain additional credentials and move further into the network.
The new RiskIQ report notes that Japan's Computer Emergency Response Team Coordination Center first detected WellMess in 2018, but those researchers did not immediately attribute the malware to APT29.