Security firm RiskIQ has published a list of more than thirty IP addresses of Russian malware servers that are linked to the hacker collective APT29 and the Russian government. According to the company, the servers are currently still in active use.
The ball started rolling, according to RiskIQ, after a potential WellMess malware server was mentioned on Twitter early last month. The ip address and ssl certificate were shared on Twitter whereupon RiskIQ started to analyze it. The company searched and found more than thirty similar, active IP addresses and similar SSL certificates and was able to link them ‘with a lot of certainty’ to the server infrastructure that APT29 uses. According to RiskIQ, the servers are still actively used by APT29. The security company cannot say which parties are targets of APT29.
APT29, also known as The Dukes of Cozy Bear, is a Russian hacker collective that last year attacked scientists from the United Kingdom, United States and Canada who were researching the corona vaccine via malware. According to the security services of the US, UK and Canada, the hackers ‘probably’ had the intention to steal information about the development of the vaccine. These security services say that APT29 is ‘almost certainly’ part of the Russian intelligence services.