11:00 AM
Connect Directly

Can't Touch This: 'Hammertoss' Russian Cyberspies Hide In Plain Sight

APT29 cyber espionage attackers operate under the cover of legitimate services including Twitter, Github, and cloud storage services.

A recently discovered Russian cyber espionage operation camouflages its nefarious activity by employing a combination of legitimate services such as Twitter, Github, and cloud storage -- often pilfering information during a victim organization's work day.

Researchers from FireEye today outlined the aggressive and seemingly relentless cyber spying gang out of Russia with its so-called Hammertoss malware -- a group dubbed APT29 by the security firm. The attackers automatically rotate Twitter handles daily for sending commands to infected machines, and use images embedded with encrypted command information and then upload stolen information to cloud storage services, for example. They also recruit legitimate web servers that they infect as part of the command and control infrastructure.

"It's a very difficult malware tool to detect. They are leveraging best practices of malware development," says Jordan Berry, threat intelligence analyst for FireEye. "We've before observed some of these tactics alone with this and other groups; we've seen malware communicate with Twitter for command and control before. It's the unique combination" of legit services attempting to mask its hacking that makes APT29's operation stand out," he says.

"This is going to challenge our defense in the future," he says.

FireEye says APT29 is the same group behind Seaduke, malware that Symantec researchers recently highlighted in a blog post. But it's unclear if APT29 is the group behind MiniDuke, another Russian cyber espionage campaign targeting mostly Eastern European government agencies. The MiniDuke backdoor Trojan, also thought to be out of Russia, also uses Twitter for command and control and sending images with encrypted information, but FireEye's team says it can't say for sure that those two are related.

The Hammertoss backdoor malware looks for a different Twitter handle each day -- automatically prompted by a list generated by the tool -- to get its instructions. If the handle it's looking for is not registered that day, it merely returns the next day and checks for the Twitter handle designated for that day. If the account is active, Hammertoss searches for a tweet with a URL and hashtag, and then visits the URL.

That's where a legit-looking image is grabbed and then opened by Hammertoss: the image contains encrypted instructions, which Hammertoss decrypts. The commands, which include instructions for obtaining files from the victim's network, typically then lead the malware to send that stolen information to a cloud-based storage service.

"The whole path of the network traffic gives nothing to conclude" that this is an attack, notes Laura Galante, director of threat intelligence for FireEye.

"We saw a downloaded image from Github with appended and encrypted information. [Once decrypted], it contains instructions for the malware: it can collect information about the victim's network and do reconnaissance, and it uploads that information to a cloud storage service," Berry says.

Watching The Watchers

APT29, which has been in action at least since late 2014, targets government agencies and organizations involved in foreign policy, defense contracting, and education, with a big focus on Russian and Ukrainian issues, according to FireEye, which published a report on Hammertoss today. But researchers there have not yet pinpointed its initial attack vector, although more than likely, it was via a phishing attack.

The attackers also watch the watchers: "They monitor the security team on what they knew about them" and then adjust their tactics to evade them, Berry says. "It's a very aggressive operation. They have significant resources and are regularly updating their malware.

"It's going to be difficult to detect even if you are aware of it," he says. Even identifying indicators of compromise is difficult since they use compromised, legit services, he says.

Symantec also has noted the confidence of the Hammertoss/Seaduke spy team. The developers appeared to flex their muscles a bit when they named one of the malware's functions "forkmeiamfamous," according to Symantec's Security Response team. "Its attacks have been so bold and aggressive, that a huge amount of attention has been drawn to it, yet it appears to be unperturbed. Its success at compromising such high-profile targets has no doubt added a few feathers to its cap," the team wrote in a blog post this month.

Now that the cat's out of the bag bout APT29's latest activity, the attackers likely will change up their tactics again. "Will they still use Hammertoss?" Galante says.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Egbert O'Foo
Egbert O'Foo,
User Rank: Apprentice
8/20/2015 | 9:50:12 AM
Re: Brilliant
Egress filtering and monitoring might be of some help: if your systems aren't *supposed* to be going to Twitter & Github, why are they requesting URI's from them?

I'm kind of surprised how many enterprises simply allow outbound traffic to go where it wills, although operating margins often mean that not enough resources can be devoted to servicing such a paradigm, and user behavior in some offices these days often includes a mix of work and personal activity, as you're probably aware.
User Rank: Ninja
7/30/2015 | 12:51:46 PM
Re: Brilliant
A more stringent vetting process for twitter would result in less of an ease of acquisition in terms of accounts for genuine users. Question is, if they are using twitter as the inbetween between attacker and victim does this make twitter in some way liable?
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
7/30/2015 | 11:21:50 AM
Re: Brilliant
FireEye has provided a malware IoC for companies to look for. What I keep thinking is, why can't Twitter monitor some of this account abuse? That's only one piece of the CnC, but the fact that they can abuse it so freely seems silly.
User Rank: Ninja
7/30/2015 | 10:24:29 AM
Pretty impressive on their end. What are some security guidelines to follow to make their malware attempt less effective?
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/15/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.