Russian Hackers Use Hammertoss to Hack U.S. Government Computers via Twitter and Github

Russian hackers have infiltrated U.S. government and high-profile corporate computers using a very stealthy and highly effective malware program dubbed Hammertoss.

The Rise of Malware

Malware seems to be dominating news headlines almost weekly at this point. We reported just yesterday that a security firm found a severe flaw in the Android mobile operating system that has already affected almost a billion devices.

Hammertoss, however, is dangerous malware that’s in a league all its own. FireEye, the security company who found the malware, reports that it is able to hide in multiple network traffic streams by disguising itself and blending in with normal traffic.

APT29 Could Be Sponsored by the Russian Government

There are plenty of APT (advanced persistent threat) groups, but FireEye believes the group that created Hammertoss are sophisticated, disciplined, and may be sponsored by the Russian government.

FireEye calls this group APT29 because it is the 29th state-sponsored group on FireEye’s watch list. APT29 is believed to be Russian not only because of the target of the attacks but also because the time of the attacks match the Moscow time zone and the Russian holiday schedule.

“While other groups try to cover their tracks, very few groups show the same discipline to thwart investigators and the ability to adapt to network defenders’ countermeasures,” said FireEye.

Hammertoss Uses an Impressive Array of Tricks and Sophistication

While FireEye admits Hammertoss isn’t using any new techniques, the company says they’ve never seen malware operate with so many tricks and at such a sophisticated level.

“We really think Hammertoss exemplifies the way [state-sponsored] actors are moving in a way that more easily evades and avoids traditional defenses,” said Jordan Berry, a researcher at FireEye.

Hammertoss uses Twitter, Github, and other cloud-based services to help conceal itself under additional layers in an attempt to blend in with normal traffic. Through Twitter and Github, Hammertoss inserts itself as a backdoor so that it can “relay commands and extract data from compromised networks.”

Once the malware takes root on a computer, it begins to blend in by operating like a user typically would, another step to further avoid detection. Part of this process is checking Twitter for instructions via specific Twitter handles that will tell the software what to do next.

When instructions are retrieved the software then checks Github to look at specific images. To most people, these images wouldn’t look any different from any other, but they have more instructions for the software embedded in the image’s code.

Once the process is complete, Hammertoss then starts stealing data from the infected computer, transferring it to the cloud in order to be retrieved from the hackers.

FireEye refused to acknowledge which companies have been affected by Hammertoss.


 

Protect your data with Nanoform: