Security experts suspect that hackers working on behalf of the Russian government are behind a sophisticated cyber campaign in which infected computers are controlled through hidden messages embedded within image files shared over Twitter.
FireEye, a California-based security firm, all but blamed the Kremlin for an offensive campaign revealed publicly for the first time in a report published on Wednesday this week.
The researchers said the hackers relied on an impressively stealthy type of malware that they’ve dubbed “HAMMERTOSS” to carry out attacks in which infected machines are covertly instructed to execute certain commands and upload sensitive user data to the cloud.
“Using a variety of techniques — from creating an algorithm that generates daily Twitter handles to embedding pictures with commands — the developers behind HAMMERTOSS have devised a particularly effective tool,” the report reads.
As described by the security firm, successfully executing HAMMERTOSS involves a multistep process: A Twitter account is automatically registered using a custom algorithm and then a tweet is posted from the profile containing a Web link and a clue that signals what to do with the data on the malicious site once it’s been visited. An infected computer will then, hypothetically, surf to the site and download its contents, then use the clue from the tweet to decipher instructions buried within an image on the site that then runs commands.
FireEye researchers said secret messages hidden within the image files through steganography, or covert coding, may either instruct the malware to conduct reconnaissance on the infected computer, execute any command via PowerShell or upload local data to a cloud storage service on the Web so that details about the commandeered machine are then sent back to the hackers.
The hackers “tries to undermine the detection of the malware by adding layers of obfuscation and mimicking the behavior of legitimate users,” the report said.
FireEye failed to conclude with 100 percent certainty that the Kremlin is behind the attack, but said an analysis of the hack, including how and when it’s been carried out, suggested an advanced persistent threat team working on behalf of Moscow is to blame.
The FireEye researchers dubbed the group “APT29” and said the coding involved in HAMMERTOSS, and the day and time its been deployed, point to Russian influence.
“We can say APT29 currently targets entities pertaining to Russian interests, such as Western governments and other organizations with valuable information for the country,” said Kyrk Storer, a spokesman for FireEye.
Even with evidence pointing toward Russian President Vladimir Putin’s regime, however, attribution to cyberattacks can prove to be more problematic than actually patching vulnerabilities.
“It’s extremely hard to differentiate between the responsible actor and those who would want to imitate or pretend to be that actor,” said Jeffrey Carr, the president and CEO of security firm Taia Global. He has also authored a paper on attribution for NATO’s Cooperative Cyber Defence Centre of Excellence.
“All of the technical indicators can be spoofed, and the only evidence that you’re seeing is the evidence that an attacker wants you to see,” continued Mr. Carr, who added that it’s worth considering any other potential threat actors that could be blamed on the attack based on the same publicly available information.
“It has become a kind of sport to blame everything on Russia,” Kremlin spokesman Dmitry Peskov said earlier this year when Moscow was blamed for attacking the website of the White House. “But the key thing is that they wouldn’t go searching for Russian submarines in the Potomac River, like it was the case in some other countries.”
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.