A year ago, the United Kingdom, the USA, and Canada released a coordinated advisory, during the global pandemic, revealing a Russian espionage campaign targeting the vaccination research efforts of COVID-19 in their respective country.
They have credited the operation to APT29 of Russia (The Dukes, Yttrium, and Cozy Bear) and have expressly designated it as a branch for the Foreign Intelligence Services of Russia (SVR). For the very first time, they officially connected the malware employed in the campaign with APT29 to WellMess and WellMail.
RiskIQ has provided full information of the 30 servers which Russia's SVR-spy agency (aka APT29) has indeed been expected to utilize in its continued attempts to steal Western intellectual property.
RiskIQ is a leading provider of Internet security information that provides the most comprehensive identification, intelligence, and mitigation of threats linked to the web presence of a company. RiskIQ offers businesses to have unified insight and control over Web, social and mobile exposures with over 75% of threats that originate outside firewalls.
In 2018, the CERT in Japan recognized WellMess without mentioning targeting or involving a particular threat actor. Following the 2020 report by the Western Governments, RiskIQ's Team Atlas extended the campaign's familiar attacker footprint and identified more than a dozen additional control servers.
The Atlas team of RiskIQ has now found yet another infrastructure that serves WellMess/WellMail effectively. Just a month earlier, the US and Russian chiefs of state conducted a summit in which the hostile cyber activities from Russia overtook the list of the key worries for President Biden.
"Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup," said RiskIQ in a blog post. "We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples."
SVR's campaigns against the West have been somewhat awkward, with replies ranging from silent alerts to explicit attribution — "they won't sodding well stop so we're telling you exactly what the naughty buggers have moved onto now" from a fed-up National Cyber Security Centre, in the United Kingdom.
In November, the GCHQ branch also told national newspapers that perhaps the attempts of the SVR to enter into British research institutions were counteracted, suggesting that they deployed some type of encryption software (like ransomware without pay) against Russia.