Russian hacker squad Apt 29 is using Twitter to steal valuable data

A Russian hacking ring known as ‘Apt 29’ is thought to be responsible for a series of stealthy data breaches that have all been facilitated using dummy Twitter handles. The attacks, which have been primarily focused on foreign governments with geopolitical relationships with Russia, are being conducted using a two part system known as ‘Hammertoss.’ FireEye, a California-based cybersecurity firm, has released a lengthy analysis detailing the specific mechanics that make Hammertoss to effective.

At its core, Hammertoss is a two part system consisting of a core piece of malware that has to infect a target’s network and an external command protocol that Apt 29 can use to direct the malware’s actions. According to FireEye, Hammertoss begins its attack by searching out for multiple Twitter handles created by Apt 29 on a daily basis. If Hammertoss can locate an Apt 29-created handle, a direct link to the targeted network is established. Even if it can’t make a connection, Hammertoss will persistently look for an Apt 29 Twitter handle until it finds one.

“[Hammertoss] uses an algorithm to generate the daily handle, such as “234Bob234”, before attempting to visit the corresponding Twitter page,” FireEye explains. “HAMMERTOSS visits the associated Twitter account and looks for a tweet with a URL and a hashtag that indicates the location and minimum size of an image file.”

This is where things get ridiculously clever.

Each Hammertoss-created tweet is custom tailored with a unique hashtag and a URL that links to a seemingly innocuous image. In reality, the image itself contains a small bit of encrypted data. The hashtag tells a computer where to look for the image and includes a matching bit of encrypted data that, when combined with the image, unleashes a new set of malware commands that can extract data from a compromised computer.

What makes Hammertoss dangerous is the fact that for many potential targets, Twitter activity that results in data pings is a completely normal process. Unless a network administrator has access to Hammertoss itself and is actively monitoring the Hammertoss-created handles’ activity, they’d be hard pressed to notice the data breach. If a human were to look at a Hammer-Tweet, all they would see is a simple hyperlink, a meaningless hashtag, and perhaps a basic image with no immediately discernable features.

What’s more, there’s no reason for a Hammer-Tweet to remain in place once it’s successfully gotten into a system. Apt 29 could easily delete the tweet or the entire account.