Evidence suggests Russia’s SVR is still using ‘WellMess’ malware, despite US warnings

It's less clear what APT29 might be doing with the hacking tool, after allegedly using it last summer to try to steal COVID-19 research.
A general view of the Russian Foreign Intelligence Service (SVR) headquarters outside Moscow taken on June 29, 2010. (Alexey SAZONOV/AFP via Getty Images)

President Joe Biden urging Vladimir Putin to crack down on cyberattacks coming from within Russian borders doesn’t seem to have convinced the Kremlin to give it up just yet.

RiskIQ said in a report Friday that it uncovered active hacking infrastructure that Western governments attributed last summer to the Russian SVR intelligence agency-linked APT29 or Cozy Bear, which it used at the time to try to steal COVID-19 research.

Known as WellMess or WellMail, the malware warranted government alerts in July of 2020 from the U.S., U.K. and Canada. In April, the FBI urged organizations to patch five known vulnerabilities that U.S. officials said were the subject of exploitation by the SVR.

RiskIQ identified three dozen command and control servers serving WellMess that the company said were under APT29 control.  It focused on the infrastructure after a U.S.-Russia summit where cyberattacks came up.


“The activity uncovered was notable given the context in which it appeared, coming on the heels of a public reproach of Russian hacking by President Biden in a recent summit with President Putin,” RiskIQ’s Team Atlas said.

Cozy Bear is not publicly accused of taking part in any recent ransomware attacks, which were the subject of the White House’s dialogue with the Russian government. The group has differentiated itself by conducting cyber-espionage against targets such as the federal contractor SolarWinds and the Democratic National Committee.

How the Russian spies are now using the WellMess malware remains a mystery to RiskIQ.

“Readers should note that much of this infrastructure is still in active use by APT29, though we do not have enough information to say how it is being used or who the targets are,” the company said.

Biden has been pressuring Putin, both directly and in public remarks, to curtail malicious cyber activity originating in Russia, particularly ransomware attacks thought to be carried out by criminal organizations. A call between the two men followed a string of high-profile ransomware attacks with alleged Russian origins, most recently on hundreds of victims stemming from an incident at the software firm Kaseya.


“I made it very clear to him that the United States expects, when a ransomware operation is coming from his soil even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden told reporters about the call.

More recently, Biden told intelligence personnel in a speech this week that if the U.S. ends up in a “shooting war” with a major foreign power, it will mostly likely come in response to a cyber breach.

Latest Podcasts