Researchers discovered new Command-and-Control (C2) infrastructure linked to the Russian threat actor APT29, aka Cozy Bear, on Friday, which has been seen serving WellMess malware as part of an ongoing attack campaign.
The activity is being tracked by the cybersecurity community under a variety of codenames, including UNC2452 (FireEye), Nobelium (Microsoft), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks), citing differences in the adversary’s Tactics, Techniques, and Procedures (TTPs) with known attacker profiles, such as APT29.
WellMess aka WellMail malware was first identified by Japan’s JPCERT/CC in 2018 and has previously been used in espionage campaigns by the threat actor to steal intellectual property from multiple organisations involved in COVID-19 research and vaccine development in the United Kingdom, the United States, and Canada.