A hacker group dubbed “APT 29” and suspected of collaborating with the Russian government has devised malware known as Hammertoss, which can conceal itself within legitimate Internet traffic in order to communicate with its Command & Control server.
- Once installed on a target machine, the malware uses sites such as Twitter and GitHub to communicate with the hackers. It uses an algorithm to generate Twitter handles, daily and randomly. Since the hacker group knows the algorithm, it can use the account to post a tweet containing a hashtag (which in turn contains a decryption key) and a link. The malware then follows a link towards a legitimate page (GitHub in particular) generated by the group and containing an image. This image contains coded instructions inserted by steganography (the art of concealing one message within another). Once the instructions have been found, the malware decodes them by using a key located in the hashtag, and then executes them.
- The instructions are varied and can in particular lead the malware to upload data from the target machine to cloud storage, from where the hackers can retrieve them.
- Hammertoss can also be programmed to trigger the process after a specific date, typically during the victim’s working hours.
- This method enables malware to insert itself in legitimate traffic and thus avoid detection, which complicates the task of identifying toxic traffic. Furthermore, images containing instructions vary considerably in size, which makes them more difficult to detect.
The same group of hackers is believed to have targeted a number of western companies in strategic sectors (aerospace, defence and think-tanks), as well as governmental organisations. The American authorities also suspect that ill-intentioned and particularly well-organised actors may, in recent months, have penetrated the e-mail systems of the Pentagon and the State Department, gaining access to information which is sensitive, although not classified: APT 29 is a particular suspect in these two attacks.