Evidence Indicates Russia’s SVR is Still Using ‘WellMess’ Malware, Despite US Warnings

APT29 Malware RiskIQ Russia USA


President Joe Biden’s appeal for Vladimir Putin to crack down on cyberattacks emanating from within Russia appears to have failed to persuade the Kremlin to give it up. 
In a report published Friday, RiskIQ stated it discovered ongoing hacking infrastructure that Western governments associated last summer to the Russian SVR intelligence agency-linked APT29 or Cozy Bear, which it utilized to obtain Covid-19 research data.
The malware, also known as WellMess or WellMail, led to official warnings in the United States, the United Kingdom, and Canada in July 2020. In April, the FBI urged companies to fix five known vulnerabilities that the SVR had exploited, according to US officials. 
RiskIQ detected three dozen command and control servers supplying WellMess which were under APT29 control, as per the firm. Following a US-Russia summit at which cyberattacks were discussed, the focus was on infrastructure. 
“The behaviour found was noteworthy considering the circumstances in which it emerged, following on the heels of President Biden’s public condemnation of Russian hacking at a recent summit with President Putin,” stated RiskIQ’s Team Atlas. 
Cozy Bear has not been openly accused of being involved in any recent ransomware operations, which were the focus of the White House’s discussions with Russia. The organization has set itself apart by executing cyber-espionage against targets like the federal contractor SolarWinds and the Democratic National Committee. 
RiskIQ is perplexed as to how Russian agents are now utilizing the WellMess malware. The company stated, “Readers should note that much of this infrastructure is still in active use by APT29, though we do not have enough information to say how it is being used or who the targets are.” 
Biden has been urging Putin both personally and in public statements, to stop malicious cyber activities originating from Russia, notably ransomware assaults are believed to be conducted by criminal groups.
A phone call between the two men came after a series of high-profile ransomware attacks with suspected Russian roots, the most recent of which has affected hundreds of people as a result of an incident at the software company Kaseya. 
“I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden stated reporters about the call. 
In a speech last week, Biden told intelligence officials that if the US finds itself in a “shooting war” with a significant foreign power, it will probably come in response to a cyber attack.

Source: E Hacking news