Security researchers have blown the lid on another Russian cyberspy crew, rated as the most sophisticated yet by security firm FireEye.
APT29 – which has only been operational since around the end of last year – uses a strain of malware called Hammertoss.
"The group has demonstrated an understanding of network defenders’ countermeasures," FireEye reported. "During our investigations, APT29 continually deployed new versions of backdoors to fix bugs and add functions, as well as kept tabs on network defenders’ activities to counter attempts to clean the client’s system to maintain access to the victim environment."
It's the sophisticated command and control mechanism behind the malware that marked the whole operation out as elite, as FireEye explains.
The malware beacons to custom Twitter handles, where it scans for specific links and hashtags, then goes to Github where it obtains an image that APT29 applies steganography to, to decrypt commands, and finally executes commands on the victim machine before uploading to popular cloud storage services.
The attackers took pains to make their infrequent malicious communications closely resemble legitimate users’ traffic, thereby concealing malware-generated chatter in the “noise” of common network traffic.
FireEye reckoned APT29 is Russian because of the data they've been stealing and its choice of targets – a wide range of governments and organisations worldwide. Additionally, APT29’s work hours closely matched working hours in Moscow and the group apparently takes time off for Russian holidays. ®