Cybersecurity researchers on Friday unmasked new command-and-control (C2) infrastructure belonging to the Russian threat actor tracked as APT29, aka Cozy Bear, that has been spotted actively serving WellMess malware as part of an ongoing attack campaign.
More than 30 C2 servers operated by the Russian foreign intelligence have been uncovered, Microsoft-owned cybersecurity subsidiary RiskIQ said in a report shared with The Hacker News.
APT29, the moniker assigned to government operatives working for Russia’s Foreign Intelligence Service (SVR), is believed to have been the mastermind behind the massive SolarWinds supply chain attack that came to light late last year, with the U.K. and U.S. governments formally pinning the intrusions on Russia earlier this April.
The activity is being tracked by the cybersecurity community under various codenames, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks), citing differences in the tactics, techniques, and procedures (TTPs) employed by the adversary with that of known attacker profiles, counting APT29.
First identified by Japan’s