Previous Story
Backed hackers used Twitter to breach US government systems
Starting by scouring Twitter streams for specific messages sent by hackers, these give it its instructions, before it explores GitHub for an image that includes code to perform the next stage of its attack. APT29 analyzes and adapts to every new measure used to block it. Likewise, the group appears to nearly exclusively use compromised servers for CnC to enhance the security of its operations and maintains a rapid development cycle for its malware by quickly modifying tools to undermine detection.
FireEye security specialists discovered the malware, called Hammertoss, on the network of a client a couple of months ago. The handle is chosen through a specified algorithm, and by knowing these rules, the perpetrators can post to the accounts. The malware’s design creates spurious Twitter accounts that then Tweet a certain URL and hashtag providing the size and the image’s location. If a human were to look at a Hammer-Tweet, all they would see is a simple hyperlink, a meaningless hashtag, and perhaps a basic image with no immediately discernable features.
FireEye studied some of the instructions for Hammertoss installations, which were comprised of encoded Powershell commands, directions for storing stolen content on cloud services and executing other files. If an account isn’t registered, Hammertoss waits another day and checks for a different one.
While the individual techniques used by Hammertoss aren’t new, the report describes how combining them enables cyber criminals to effectively attack target networks.
This obviously makes it hard for defenders since it means they have to constantly monitor a number of Twitter accounts to keep up with Hammertoss. The outfit is careful to stay under the radar as well, only remaining active during work hours for whatever enterprise it infects, making its traffic even less noticeable.
“It’s a lot easier to hide in the noise”, Ledzian said.
In only a year, a Russian Advanced Persistent Threat (APT) group has proven to exemplify the future of cyber threats. “These groups are innovating and becoming more creative”.
Ledzian pointed out APT 29 is almost exclusively focused on hacking government-related organizations, and seems to be gathering up geopolitical information connected to Russia, meaning it is highly probable that the group works for or is a part of the Russian government. This group is open to IT Leaders, MIS & IT Managers, Network & Infrastructure Managers who share insights, discuss challenges & wins and keep abreast of cutting edge technologies.
