Russia-backed hackers could use Twitter to steal data

Russia-backed hackers could use Twitter to steal data
© Getty Images

Hackers supported by the Russian government are allegedly using Twitter to control malware that is stealing data from U.S. companies and potentially even the U.S. government.

Security firm FireEye on Wednesday released a report showing that one of the most active Russian hacking groups covers up and coordinates its digital assaults through a complex method involving fake Twitter accounts and encrypted data buried in seemingly innocuous photos.


The tactic, known as “Hammertoss,” allows the group to clandestinely communicate with malware that has infected a computer system, allowing it to remain undetected. It reveals a “discipline and consistency” that is nearly unmatched by any other prominent hacking groups, according to the report.

The group “tries to undermine the detection of the malware by adding layers of obfuscation and mimicking the behavior of legitimate users,” the report says.

Known as APT29, the hacking group is likely tied to intrusions at top government agencies and defense industry firms, Reuters reported.

Pentagon chief Ash Carter has blamed Russian hackers for an intrusion at the Defense Department earlier this year. Kremlin-backed hackers are also considered responsible for the cyberattacks last year on the State Department and White House.

FireEye did not say whether APT29 used this method to crack the networks at any of those agencies.

However, the report says, “We suspect the Russian government sponsors the group because of the organizations it targets and the data it steals.”

APT29 operates by infecting networks with a particularly stealthy type of malware. That malware is programmed to each day visit a different Twitter handle, such as “@234Bob234.”

From there, the malware combs the profile for a specific tweet with a URL and hashtag directing to an image file. That image file contains encrypted directions the malware then cracks open. Many of the images are stored on the popular open-source code repository GitHub.

The instructions will often detail where the malware should send the victim’s data.

“In combination, these techniques make it particularly hard to identify Hammertoss or spot malicious network traffic,” FireEye said. “This makes Hammertoss a powerful backdoor at the disposal of one of the most capable threat groups we have observed.”