Hackers used Twitter to target US systems

Security firm FireEye has uncovered a piece of malware that may be much harder than usual to detect.

The hackers are effectively using Twitter as a command-and-control server.

“When they see Twitter traffic, it’s less suspicious”, commented Steve Ledzian, systems engineering director for FireEye in Asia. This tweet will contain a URL and a hashtag. FireEye says APT29 was using its innovative techniques to infiltrate government organisations to target geopolitical information related to Russian Federation, which points to a link to the Kremlin.

The additional measure of encrypting the message within the image serves a double objective to both hide the message in the image in case it is intercepted, as well as to assist in bypassing any steganography detection tools an organization may have in place, according to Westin.

The URL directs the malware to a webpage containing an image, and the hashtag offers a number that represents a location within the image file and characters for appending to an encryption key in order to decrypt instructions embedded in the image.

As far as prevention, Weedon stressed consistent internal monitoring as opposed to a sole focus on preventing attacks, as networks impacted by HAMMERTOSS were already often already compromised.

FireEye studied some of the instructions for Hammertoss installations, which were comprised of encoded Powershell commands, directions for storing stolen content on cloud services and executing other files. The handles are under the guise of Twitter links. The attackers could also choose to quickly delete the tweet that Hammertoss reads, which would make the attack more tricky to investigate.

APT 29 is suspected to be in Russian Federation since it appears to be active during normal working hours in Moscow.

“While other APT groups try cover their tracks, very few groups show the same discipline to thwart investigators and the ability to adapt to network defenders’ countermeasures”, FireEye said.

“This makes Hammertoss a powerful backdoor at the disposal of one of the most capable threat groups we have observed”.

The treating, exposed over the course of FireEye examination add an anonymous sufferer business entity, reveals how government-backed hackers can move approaches upon the glide when they are found out. This group is open to IT Leaders, MIS & IT Managers, Network & Infrastructure Managers who share insights, discuss challenges & wins and keep abreast of cutting edge technologies.