A recently discovered Russian cyber espionage operation camouflages its nefarious activity by employing a combination of legitimate services such as Twitter, Github, and cloud storage -- often pilfering information during a victim organization's work day.
Researchers from FireEye today outlined the aggressive and seemingly relentless cyber spying gang out of Russia with its so-called Hammertoss malware -- a group dubbed APT29 by the security firm. The attackers automatically rotate Twitter handles daily for sending commands to infected machines, and use images embedded with encrypted command information and then upload stolen information to cloud storage services, for example. They also recruit legitimate web servers that they infect as part of the command and control infrastructure.
"It's a very difficult malware tool to detect. They are leveraging best practices of malware development," says Jordan Berry, threat intelligence analyst for FireEye. "We've before observed some of these tactics alone with this and other groups; we've seen malware communicate with Twitter for command and control before. It's the unique combination" of legit services attempting to mask its hacking that makes APT29's operation stand out," he says.
"This is going to challenge our defense in the future," he says.
FireEye says APT29 is the same group behind Seaduke, malware that Symantec researchers recently highlighted in a blog post. But it's unclear if APT29 is the group behind MiniDuke, another Russian cyber espionage campaign targeting mostly Eastern European government agencies. The MiniDuke backdoor Trojan, also thought to be out of Russia, also uses Twitter for command and control and sending images with encrypted information, but FireEye's team says it can't say for sure that those two are related.
The Hammertoss backdoor malware looks for a different Twitter handle each day -- automatically prompted by a list generated by the tool -- to get its instructions. If the handle it's looking for is not registered that day, it merely returns the next day and checks for the Twitter handle designated for that day. If the account is active, Hammertoss searches for a tweet with a URL and hashtag, and then visits the URL.
That's where a legit-looking image is grabbed and then opened by Hammertoss: the image contains encrypted instructions, which Hammertoss decrypts. The commands, which include instructions for obtaining files from the victim's network, typically then lead the malware to send that stolen information to a cloud-based storage service.
"The whole path of the network traffic gives nothing to conclude" that this is an attack, notes Laura Galante, director of threat intelligence for FireEye.
"We saw a downloaded image from Github with appended and encrypted information. [Once decrypted], it contains instructions for the malware: it can collect information about the victim's network and do reconnaissance, and it uploads that information to a cloud storage service," Berry says.
Watching The Watchers
APT29, which has been in action at least since late 2014, targets government agencies and organizations involved in foreign policy, defense contracting, and education, with a big focus on Russian and Ukrainian issues, according to FireEye, which published a report on Hammertoss today. But researchers there have not yet pinpointed its initial attack vector, although more than likely, it was via a phishing attack.
The attackers also watch the watchers: "They monitor the security team on what they knew about them" and then adjust their tactics to evade them, Berry says. "It's a very aggressive operation. They have significant resources and are regularly updating their malware.
"It's going to be difficult to detect even if you are aware of it," he says. Even identifying indicators of compromise is difficult since they use compromised, legit services, he says.
Symantec also has noted the confidence of the Hammertoss/Seaduke spy team. The developers appeared to flex their muscles a bit when they named one of the malware's functions "forkmeiamfamous," according to Symantec's Security Response team. "Its attacks have been so bold and aggressive, that a huge amount of attention has been drawn to it, yet it appears to be unperturbed. Its success at compromising such high-profile targets has no doubt added a few feathers to its cap," the team wrote in a blog post this month.
Now that the cat's out of the bag bout APT29's latest activity, the attackers likely will change up their tactics again. "Will they still use Hammertoss?" Galante says.