It turns out that sometimes there’s more to a tweet than meets the eye. According to cybersecurity firm FireEye, hackers suspected of being connected to the Russian government are using Twitter to control the actions of their malware.
Cybersecurity experts have long known that hackers use social networking services to send commands to their malware. However, FireEye says this group, named APT 29, has set up a complex, nearly foolproof command and control system using Twitter which makes it extremely difficult for victims to even confirm that they’ve been hacked.
More on Hammertoss malware
FireEye security specialists discovered the malware, called Hammertoss, on the network of a client a couple of months ago. FireEye recently published a report on the malware and notes that APT 29 uses a complex system involving tweets to communicate with Hammertoss to lower the chance of detection.
The malware uses an algorithm that creates a new Twitter handle every day. When the malware controllers want to communicate with Hammertoss, they set up the Twitter account that the rogue program in instructed to contact that day.
Twitter is effectively a command-and-control server for Hammertoss. Very few firms would block outbound connections to Twitter, and successful connections to Twitter are typically not even considered as potentially malicious.
“When they see Twitter traffic, it’s less suspicious,” commented Steve Ledzian, systems engineering director for FireEye in Asia.
The APT 29 controllers give instructions to Hammertoss via a tweet. The innocuous sounding tweet contains both a URL and a hashtag. The URL connects to an image on another server that contains data encrypted using stenography, which is a way to hide data in an image or file. The hashtag provides the file size of the image and a few characters to be added to the decryption key already within Hammertoss to access the contents.
The instructions to Hammertoss installations were typically Powershell commands, directions for storing stolen data in the cloud and execution of various files.
Also of note, the hackers don’t always register Twitter accounts for the handles created by Hammertoss. If the account created for that day isn’t active, the malware will just wait another day and check to see if the account using that day’s handle has been registered.
This obviously makes it difficult for defenders since it means they have to constantly monitor a number of Twitter accounts to keep up with Hammertoss.
Moreover, if anyone did notice the Twitter traffic and followed the link posted on Twitter, it would just look like an innocuous image a Twitter user might have posted of themselves or a friend. The hackers can also quickly delete the tweet that Hammertoss reads, which also complicates any investigation.
Hammertoss likely connected to Russian government
The hacking group APT 29 is very likely based in Russia since it is typically active during normal working hours in Moscow. Furthermore, the group is always inactive during Russian holidays, Ledzian said. He also commented that APT 29 is one of the most stealthy hacking groups given how hard it works to cover its tracks and mask its actions by constantly modifying its tools and ongoing efforts at remediation of problems.
Ledzian pointed out APT 29 is nearly exclusively focused on hacking government-related organizations, and seems to be gathering up geopolitical information connected to Russia, meaning it is highly probable that the group works for or is a part of the Russian government.