Source: http://www.ft.com/cms/s/0/74d964a2-3...ebd57852.html#

Article in full:

Russia’s cyberwarriors use Twitter to hide intrusion

Sam Jones, Defence and Security Editor

Russian hackers are using Twitter as an ultra-stealthy way of concealing their intrusions into sensitive Western government computer systems — a new surveillance technique that blends cutting edge digital engineering with old-fashioned spy tradecraft.

The hackers use images uploaded to the social media site to send messages and directions to malware — or malicious software — with which they have infected target computers.

The value of using Twitter as a means to control the malware — which may direct computers to steal files or other unintended operations — is that it is virtually invisible to most detection systems, appearing instead like myriad other visits users make to the social networking site.

A new report from the cyber security firm FireEye released on Wednesday identifies the new malware for the first time publicly, which it has nicknamed “Hammertoss”.

FireEye says it has “high confidence” that Russian agents are behind the project.

“It’s really an example of how innovative and thoughtful threat groups are becoming,” said Jen Weedon, manager at FireEye’s threat intelligence group. “They are leveraging all of these credentials and services. It’s artistry. This is clearly not malware that is being built without thought.”

For all its digital sophistication, the principles behind Hammertoss are reminiscent of the low-tech spy signals of the Cold War — chalk marks on trees or dead-letter boxes. In essence, the social media site allows Russia’s cyber warriors to communicate with their agents in plain sight and under the noses of those on the look out for unusual behaviour or communications.

“The weaponisation of social media is a growing threat. It’s an easy way of passing information to malware that’s hard to detect — and it’s been in development for quite some time,” said Stuart Poole-Robb, chief executive of the business intelligence group KCS.

The malware, once embedded, performs a daily check for a specific Twitter account, the unique name of which is generated on each occasion by an inbuilt secret algorithm.

Hammertoss’s controllers, by possessing an identical algorithm, are able to know the name of the Twitter account the malware will look for each day. If they wish to issue a command to Hammertoss, they set up the account and post a tweet.

The tweet may look innocuous, but it will contain a link to an image. The image has a secret message for Hammertoss encoded within it — another Cold War technique known as steganography.

In one instance observed by FireEye, Hammertoss’ controllers instructed the malware, via an image posted on Twitter, to upload sensitive information it had skimmed from a government computer system to an encrypted cloud storage account. Hammertoss’ operators were then able to access the data themselves.

A senior Western military cyber defence official, said he was aware of the malware, which was first detected earlier this year, and had been observed in several sensitive government systems.

Another Russian malware family, known as MiniDuke also used Twitter for certain command and control operations, but unlike Hammertoss, was limited to communications with a limited number of specific, pre-established accounts.

“Hammertoss has been developed by one of the most capable groups that we track,” said Ms Weedon. “It’s a unique tool. It’s used very selectively . . . for critical targets and when its really needed . . . when you need to bring out the big guns.”