Security researchers say they have uncovered an ongoing hacking campaign carried out by suspected Russian spies who are continuing to stage attacks amid U.S. pressure on the Kremlin to curtail its alleged cyber-intrusions.
The California-based cybersecurity firm RiskIQ Inc. said in a report released on Friday that it had uncovered more than 30 command and control servers -- used by cybercriminals to send orders to compromised networks or receive stolen data -- associated with the state-sponsored hacking group, which is known as APT29 or Cozy Bear. The group is using the servers to deploy malicious software named WellMess, according to RiskIQ. APT stands for “advanced persistent threat,” and is a term often used to describe state-sponsored hacking groups.
In July last year, government agencies from the U.S., U.K., and Canada, said that APT29 was “almost certainly” part of the Russian intelligence services and accused it of hacking organizations involved in the development of the Covid-19 vaccine and stealing intellectual property. The same group was also allegedly involved in the 2016 hack on the Democratic National Committee and the breach of SolarWinds Corp., which was disclosed last year, according to U.S. officials.
The Russian embassy in Washington referred to an earlier statement, in which it urged journalists to stop “sweeping accusations” and said it was confident that discussions with the U.S. related to cyberspace would “improve the security of the information infrastructure of our countries.”
A White House representative declined to comment. President Joe Biden warned Russian President Vladimir Putin about continuing hacks during a June 16 summit that came after several high-profile ransomware attacks by Russia-linked criminal hacking groups, including one targeting Colonial Pipeline Co. that upended fuel supplies along the East Coast. U.S. pressure on Russia has mostly focused on stopping ransomware attacks, as opposed to hacking tied to espionage.
Biden said after the summit that Putin understands the U.S. would respond if Russia again interferes in American elections.
RiskIQ said in its report that the servers it detected remained active and were deploying malware. But the researchers said they didn’t have enough information to determine who the targets were or how the malware was being deployed. The security firm said its finding of APT29’s continued activity was particularly notable in light of ongoing U.S. pressure on Russia over its alleged hacking activities.
“Often when an APT group receives a lot of public attention, either in security research or politically, it goes to ground for a bit until the heat is off,” said Kevin Livelli, director of threat intelligence at RiskIQ. “Our findings show that APT29 is back to business as usual, despite widespread exposure in the SolarWinds episode, and a high-level summit where President Biden leaned on President Putin to be less aggressive in cyberspace.
“In fact, APT29 is using the same malware they used to steal Covid-19 research a year ago, despite the fact that the U.S., U.K., and Canadian governments called them out on it,” he said. “They haven’t missed a beat.”
During the June 16 summit in Geneva, Biden said he provided the Russian leader with a list of 16 sectors, including energy and water services, which he said should be off-limits to hackers. “I talked about the proposition that certain critical infrastructure should be off-limits to attack, period, by cyber or any other means,” Biden said. In a phone call earlier this month, Biden said he urged Putin to act against hackers in his country blamed for recent ransomware attacks.