Skip to main content

Russian hackers use Twitter to mask data theft

FireEye recently reported that a group of Russian hackers are using Twitter in a certain way so that it masks their data-stealing malware,

The way that it was done was by using social networking websites/services to relay their commands to their malware, a common practice by hackers.

But these suspected Russian hackers have taken the whole thing to a completely new level. FireEye, who have identified the hackers as APT 29, have stated that the group are using Twitter to completely mask their whole operation, making the whole thing extremely hard for the companies to figure out whether they’ve been hacked by the malware or not.

The malware, nicknamed Hammertoss, was found by a FireEye analyst on one of their client’s networks earlier in the year. The company added to this by saying that APT 29 has taken several additional steps to avoid detection and communicate under the radar since they were first discovered.

So what is Hammertoss?

It is an algorithm that creates a new Twitter handle every day. When the hackers want to communicate with their malware, the hacker will then register a new Twitter handle that day to do that.

To execute a command, the hackers post the instructions in a tweet. This tweet will contain a URL and a hashtag. The URL will lead to an encrypted image or a file on a server, and the hashtag contains the file size of the image along with a couple of characters that should be added to the decryption key.

And as you guessed, the decryption key is stored in Hammertoss itself. Once the additional characters are added to the key, the hacker can then view the content.

To make the whole thing even harder to detect, as Hammertoss is only active during normal working days of the company it has infected, making the malware harder to notice. This helps the malware to stay under the radar while collecting data and hiding in the noise.

APT 29 is strongly suspected to be based in Russia, as it is generally active during the normal working hours in Moscow, and on Russian holidays the group is inactive.

FireEye have also stated that the group seems primarily focused on infiltrating government organisations and collecting information relevant to Russia, leading to the supposition that the group is close the Russian government, or indeed working with Russia.