Details of 30 servers thought to be used by Russia's SVR spy agency (aka APT29) as part of its ongoing campaigns to steal Western intellectual property were made public today by RiskIQ.
Russia's Foreign Intelligence Service "is actively serving malware (WellMess, WellMail) previously used in espionage campaigns targeting COVID-19 research in the UK, US, and Canada," according to threat intel firm.
"Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup," said RiskIQ in its blog post. "We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples."
Previously the SVR was linked to the WellMess malware, seen being deployed against Western medical science institutions in early 2020 as nation states raced to develop effective vaccines against COVID-19.
In revealing these 30 servers' IP addresses and details of their SSL certificates, RiskIQ follows the lead of the US CISA infosec agency, which in April told the world exactly what the SVR was deploying and from where, along with offering avoidance advice. The company also highlighted Japan's CERT's uncovering of WellMess as a new malware strain targeting Windows and Linux back in 2018.
- Biden to Putin: Get your ransomware gangs under control and don’t you dare cyber-attack our infrastructure
- Somebody's Russian to meddle with UK coronavirus vaccine efforts, but GCHQ won't take it lying down
- Russian cyber-spies changed tactics after the UK and US outed their techniques – so here's a list of those changes
- Surprise surprise! Hostile states are hacking coronavirus vaccine research, warn UK and USA intelligence
Known to the infosec industry as APT29*, the SVR does not appear to have slowed down since the well-publicised Biden-Putin summit of June, where the American president nicely asked his Russian counterpart to tone it down a bit.
SVR operations against the West have been fairly brazen, with responses varying from quiet warnings through direct attribution to outright "they won't sodding well stop so we're telling you exactly what the naughty buggers have moved onto now" from a fed-up National Cyber Security Centre in the UK. Just for good measure, the GCHQ offshoot also briefed national newspapers in November that they were countering the SVR's continuing efforts to break into British research institutions, hinting they were deploying a form of encryption malware (think ransomware without the ransom) against the Russians. ®
*The SVR is also known as APT29, The Dukes, Cozy Bear, Yttrium, etc. etc. depending on which vendor's marketing team you're listening to that day. They're all the same crew.