Russian hackers use Twitter to cover their tracks

30 Jul 2015 | Author: | No comments yet »

FireEye Releases Intelligence Report Highlighting the Clever Tactics of a Likely Kremlin-Backed Threat Actor.

Russian hackers have figured out a way to use Twitter to communicate with malware that’s infected target computers, allowing them to cover their tracks while making their way into confidential government computer systems. Russian government-backed hackers who penetrated high-profile U.S. government and defense industry computers this year used a method combining Twitter with data hidden in seemingly benign photographs, according to experts studying the campaign.

FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today’s advanced cyber attacks, today released a new Threat Intelligence report titled “HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group.” The report analyzes the functionality and obfuscation tactics of an advanced piece of malware employed by the likely Russian government-backed Advanced Persistent Threat (APT) group APT29. The hackers upload special images to the social media site that stealthily transmit directions to installed malware that can then steal files or other unwanted actions, reported the Financial Times. In a public report Wednesday, researchers at security company FireEye Inc said the group used the unusual tandem as a means of communicating with previously infected computers. Operating in its current form since at least 2014, APT29 has demonstrated very strong capabilities to adapt to, and obfuscate their activities from, network defense measures – including aggressively monitoring network defenders and/or forensic investigators and attempting to subvert them. Their discipline in operational security sets them apart even from other Russian APT groups FireEye tracks. “The novel approach APT29 takes to carry out its attacks and maintain their persistence in networks represents a level of difficulty that security professionals could see trickle down into their own network security operations,” said Laura Galante, director, threat intelligence at FireEye. “As we continue to track APT29, we will be able to bring more intelligence to light that will help our customers improve their defenses against advanced attacks.” APT29’s HAMMERTOSS is comprised of multiple malware tactics in order to achieve its unique obfuscation goals.

The technique, uncovered during a FireEye investigation at an unnamed victim organization, shows how government-backed hackers can shift tactics on the fly after they are discovered. “It’s striking how many layers of obfuscation that the group adopts,” said FireEye Strategic Analysis Manager Jennifer Weedon. “These groups are innovating and becoming more creative.” The machines were given an algorithm for checking a different Twitter account every day. HAMMERTOSS follows a step-by-step retrieval of commands via common web services that would typically evade initial detection, including: The full report, including examples of APT29’s attack lifecycle using HAMMERTOSS, can be accessed at The cybersecurity firm FireEye FEYE 4.05% released a report on the trick and labeled it “Hammertoss.” The attack method was “designed so that defenders can neither detect nor characterize its activity,” wrote FireEye, which says there’s a “high” chance that Russian hackers are behind Hammertoss. “The weaponization of social media is a growing threat,” Stuart Poole-Robb, chief executive of the business intelligence group KCS, told the FT. “It’s an easy way of passing information to malware that’s hard to detect.”

FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. The computer would go to the website and look for a photo of at least the size indicated by the number, while the letters were part of a key for decoding the instructions in a message hidden within the data used to display the picture on the website.

These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle.

Vikram Thakur, a senior manager at Symantec Corp, said his team had also found Twitter controls combined with hidden data in photos, a technique known as steganography. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. In April, it said another Russian-government supported group, APT28, had used a previously unknown flaws in Adobe Systems Inc.’s Flash software to infect high-value targets.

Thakur said another tool in that kit is CozyDuke, which Russian firm Kaspersky Lab says is associated with recent breaches at the State Department and the White House.

Here you can write a commentary on the recording "Russian hackers use Twitter to cover their tracks".

* Required fields
Our partners
Follow us
Contact us
Our contacts

ICQ: 423360519

About this site