Russia’s SVR WellMess Malware Is Seemingly Still in the Game
New Report Revealed Three Dozen Command and Control Additional Servers Being Active and Identified as Related to APT29, Despite U.S. President’s Warning on Russian Cyberattacks.
In July 2020, a joint advisory was published that revealed a Russian espionage campaign named APT29 or Cozy Bear, seen also as an extension of SVR (Russia’s Foreign Intelligence Services). Its target was the stealing of COVID-19 vaccine investigations at that time, using malware tagged as “WellMess” or “WellMail”.
Then, the U.S. Presidency accused Russian hackers of being behind the SolarWinds attack, and then on 15th April 2021 the “Russian SVR Targets U.S. and Allied Networks” was released, a security advisory that detailed cyber espionage methods hackers used against the United States when the FBI advised companies to apply patches to 5 vulnerabilities being exploited by SVR back then. President Joe Biden advised Russia to put a stop to cyberattacks coming from their country, but despite his warnings, SVR seems to go on with its activity by using old WellMess malware.
A Friday security report, by RiskIQ, revealed new information stating more than a dozen command-and-control servers, in addition to what was reported back in 2020. It seems that the SVR agency’s APT 29 is actively continuing its work through its hacking infrastructure. The command and control servers are controlled by APT29 and serve the WellMess Malware, according to the data stated in the report. However, RiskIQ analysts have not determined yet the method hackers use now by taking advantage of WellMess malware or what it’s the goal this time (in the past it was used to steal Covid-19 research).
Readers should note that much of this infrastructure is still in active use by APT29, though we do not have enough information to say how it is being used or who the targets are.
In a recent press conference, U.S. President Joe Biden said that he asked Russian President Vladimir Putin in the U.S.-Russian Summit meeting to take measures on cyberattacks coming from Russia. However, Cozy Bear has not been yet publicly accused to be responsible for any reported recent cybercrime. The RiskIQ report emerged following this meeting when Team Atlas researchers started analyzing the activity of SVR’s APT29 group.
U.S. President had also a phone call with Vladimir Putin at the beginning of July, following recent cyberattacks for instance those affecting Kaseya, as Cyberscoop reports, where he asked the Russian president to cut off ransomware organizations.
I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is.