Russian Hackers Taking Cyberwarfare to a New Level

What’s going on?

Techniques applied

• Publicly available exploits are most commonly used by the actors to carry out widespread scanning and exploitation against vulnerable systems.
• The group may also contain stolen credentials to gain access to systems.
• For stealing COVID-19 vaccine research and development, the attackers conducted basic vulnerability scanning against certain external IP addresses owned by the targeted organizations.
• Spear-phishing attacks are also used to gain authentication credentials to internet-accessible login pages for target organizations.

Custom malware

• After gaining access to the network, the Cozy Bear group deploys custom malware known as WellMail or WellMess to conduct further operations on the victim’s system. 
• WellMail is written in Golang to run arbitrary shell commands on Linux and Windows. 
• It is a lightweight tool that runs scripts or commands with the results being conveyed to a hardcoded C2 server.
• The IOCs can be found here.

The bottom line

• APT29 is one of the highest-profile and most successful hacking groups backed by the Russian government. Experts indicate that the threat actor is likely to continue targeting organizations associated with COVID-19 vaccine research. Hackers associated with this group are after confidential information but do not release them publicly.
• It is recommended that organizations take proactive security measures to protect their research.