Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/29/2015
11:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Can't Touch This: 'Hammertoss' Russian Cyberspies Hide In Plain Sight

APT29 cyber espionage attackers operate under the cover of legitimate services including Twitter, Github, and cloud storage services.

A recently discovered Russian cyber espionage operation camouflages its nefarious activity by employing a combination of legitimate services such as Twitter, Github, and cloud storage -- often pilfering information during a victim organization's work day.

Researchers from FireEye today outlined the aggressive and seemingly relentless cyber spying gang out of Russia with its so-called Hammertoss malware -- a group dubbed APT29 by the security firm. The attackers automatically rotate Twitter handles daily for sending commands to infected machines, and use images embedded with encrypted command information and then upload stolen information to cloud storage services, for example. They also recruit legitimate web servers that they infect as part of the command and control infrastructure.

"It's a very difficult malware tool to detect. They are leveraging best practices of malware development," says Jordan Berry, threat intelligence analyst for FireEye. "We've before observed some of these tactics alone with this and other groups; we've seen malware communicate with Twitter for command and control before. It's the unique combination" of legit services attempting to mask its hacking that makes APT29's operation stand out," he says.

"This is going to challenge our defense in the future," he says.

FireEye says APT29 is the same group behind Seaduke, malware that Symantec researchers recently highlighted in a blog post. But it's unclear if APT29 is the group behind MiniDuke, another Russian cyber espionage campaign targeting mostly Eastern European government agencies. The MiniDuke backdoor Trojan, also thought to be out of Russia, also uses Twitter for command and control and sending images with encrypted information, but FireEye's team says it can't say for sure that those two are related.

The Hammertoss backdoor malware looks for a different Twitter handle each day -- automatically prompted by a list generated by the tool -- to get its instructions. If the handle it's looking for is not registered that day, it merely returns the next day and checks for the Twitter handle designated for that day. If the account is active, Hammertoss searches for a tweet with a URL and hashtag, and then visits the URL.

That's where a legit-looking image is grabbed and then opened by Hammertoss: the image contains encrypted instructions, which Hammertoss decrypts. The commands, which include instructions for obtaining files from the victim's network, typically then lead the malware to send that stolen information to a cloud-based storage service.

"The whole path of the network traffic gives nothing to conclude" that this is an attack, notes Laura Galante, director of threat intelligence for FireEye.

"We saw a downloaded image from Github with appended and encrypted information. [Once decrypted], it contains instructions for the malware: it can collect information about the victim's network and do reconnaissance, and it uploads that information to a cloud storage service," Berry says.

Watching The Watchers

APT29, which has been in action at least since late 2014, targets government agencies and organizations involved in foreign policy, defense contracting, and education, with a big focus on Russian and Ukrainian issues, according to FireEye, which published a report on Hammertoss today. But researchers there have not yet pinpointed its initial attack vector, although more than likely, it was via a phishing attack.

The attackers also watch the watchers: "They monitor the security team on what they knew about them" and then adjust their tactics to evade them, Berry says. "It's a very aggressive operation. They have significant resources and are regularly updating their malware.

"It's going to be difficult to detect even if you are aware of it," he says. Even identifying indicators of compromise is difficult since they use compromised, legit services, he says.

Symantec also has noted the confidence of the Hammertoss/Seaduke spy team. The developers appeared to flex their muscles a bit when they named one of the malware's functions "forkmeiamfamous," according to Symantec's Security Response team. "Its attacks have been so bold and aggressive, that a huge amount of attention has been drawn to it, yet it appears to be unperturbed. Its success at compromising such high-profile targets has no doubt added a few feathers to its cap," the team wrote in a blog post this month.

Now that the cat's out of the bag bout APT29's latest activity, the attackers likely will change up their tactics again. "Will they still use Hammertoss?" Galante says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Egbert O'Foo
50%
50%
Egbert O'Foo,
User Rank: Apprentice
8/20/2015 | 9:50:12 AM
Re: Brilliant
Egress filtering and monitoring might be of some help: if your systems aren't *supposed* to be going to Twitter & Github, why are they requesting URI's from them?

I'm kind of surprised how many enterprises simply allow outbound traffic to go where it wills, although operating margins often mean that not enough resources can be devoted to servicing such a paradigm, and user behavior in some offices these days often includes a mix of work and personal activity, as you're probably aware.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/30/2015 | 12:51:46 PM
Re: Brilliant
A more stringent vetting process for twitter would result in less of an ease of acquisition in terms of accounts for genuine users. Question is, if they are using twitter as the inbetween between attacker and victim does this make twitter in some way liable?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/30/2015 | 11:21:50 AM
Re: Brilliant
FireEye has provided a malware IoC for companies to look for. What I keep thinking is, why can't Twitter monitor some of this account abuse? That's only one piece of the CnC, but the fact that they can abuse it so freely seems silly.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/30/2015 | 10:24:29 AM
Brilliant
Pretty impressive on their end. What are some security guidelines to follow to make their malware attempt less effective?
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32823
PUBLISHED: 2021-06-24
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with &lt...
CVE-2021-35041
PUBLISHED: 2021-06-24
The blockchain node in FISCO-BCOS V2.7.2 may have a bug when dealing with unformatted packet and lead to a crash. A malicious node can send a packet continuously. The packet is in an incorrect format and cannot be decoded by the node correctly. As a result, the node may consume the memory sustainabl...
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.