Russian Hackers Use Twitter To Hack U.S. Targets
The hacking group is what is known as an advanced persistent threat, and has been classified as APT29. Using a variety of techniques, including creating an algorithm that generates daily Twitter handles and embedding pictures with commands, APT29 has created a particularly effective piece of stealthy malware that FireEye has dubbed Hammertoss.
Novel Approach
APT29 tries to undermine the detection of the malware by adding layers of obfuscation and mimicking the behavior of legitimate users, according to the security firm. Hammertoss uses Twitter, GitHub, and cloud storage services to relay commands and extract data from compromised networks. That combination of tactics makes the hacker group particularly difficult to stop.
“The novel approach APT29 takes to carry out its attacks and maintain their persistence in networks represents a level of difficulty that security professionals could see trickle down into their own network security operations,” said Laura Galante, director, threat intelligence at FireEye.
FireEye said it first saw evidence of APT29 last year, with the Hammertoss malware appearing earlier this year. The group has demonstrated the ability to adapt to, and obfuscate its activities from, network defense measures — including aggressively monitoring network defenders and/or forensic investigators and attempting to subvert them. The group’s discipline in operational security sets it apart even from other Russian APT groups, FireEye said.
Moscow’s Fingerprints
Hammertoss works by retrieving commands via Twitter for command and control (CnC) functions. Once a system has been infected with Hammertoss, the malware is programmed to visit a different Twitter handle every day to look for instructions. APT29 further hides its activities by encoding its instructions to Hammertoss in what appear to be regular images, a cryptography technique known as steganography.
Not only that, the group monitors attempts by target networks to defend themselves or remove the malware from their systems. APT29 analyzes and adapts to every new measure used to block it. Likewise, the group appears to almost solely use compromised servers for CnC to enhance the security of its operations and maintains a rapid development cycle for its malware by quickly modifying tools to undermine detection. FireEye said these practices make APT29 one of the most capable threats that it tracks.
The security firm said that it believes APT29 is sponsored by the Russian government because of the organizations it has targeted and the data it steals. Additionally, APT29 appeared to cease operations on Russian holidays, and the group’s work hours seem to align with the UTC +3 time zone, which encompasses cities such as Moscow and St. Petersburg.
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.
