Kremlin-backed hackers used Twitter to breach US government systems

FireEye claims Russian hackers are using Twitter to steal data in almost 'undetectable' attacks

Russian government-backed hackers breached networks of US government and defence industry computer systems by using Twitter and photos to distribute malware to their targets, researchers have claimed.

According to a newly released report from FireEye, entitled ‘Hammertoss: Stealthy Tactics Define a Russian Cyber Threat Group,' a criminal organisation dubbed APT29 uses Twitter, GitHub and cloud storage services to extract data from compromised networks.

The claim that the Russian hackers are government-backed and targeting US systems comes after FireEye previously warned that state-sponsored Chinese hackers have been conducting cyber espionage against South Asian governments and companies for at least a decade.

Hammertoss begins its attack by retrieving commands via legitimate web services, such as Twitter and GitHub, or using compromised web servers for command-and-control techniques. Infected machines generate an algorithm for checking different Twitter accounts on a daily basis.

Hackers then upload images with hidden code that can install malware, which in turn can be used to steal files. The method is so sophisticated that the targeted computer systems don't register the fact that they've been breached as the intrusion just looks like any other Tweet.

However, the Tweet contains information about the targeted network systems, which can be decoded by the hackers and then used to make off with sensitive data. The aggressive and elusive nature of Hammertoss suggests that those behind it are likely to have government backing, likely coming from the Kremlin, FireEye warned.

"The novel approach APT29 takes to carry out its attacks and maintain their persistence in networks represents a level of difficulty that security professionals could see trickle down into their own network security operations," said Laura Galante, director of threat intelligence at FireEye.

"As we continue to track APT29, we will be able to bring more intelligence to light that will help our customers improve their defences against advanced attacks."

Jennifer Weedon, FireEye strategic analysis manager, added: "It's striking how many layers of obfuscation that the group adopts. These groups are innovating and becoming more creative."

While the individual techniques used by Hammertoss aren't new, the report describes how combining them enables cyber criminals to effectively attack target networks.

"Individually, each technique offers some degree of obfuscation for the threat group's activity. In combination, these techniques make it particularly hard to identify Hammertoss or spot malicious network traffic," said FireEye.

"This makes Hammertoss a powerful backdoor at the disposal of one of the most capable threat groups we have observed," the report concludes.

The report doesn't specifically outline which networks were targeted by Kremlin-backed attacks, although the US Internal Revenue Services (IRS) was breached earlier this year and has claimed that the intrusion came from Russia.