Neat sleuthing there! How about some breaks?
There may be some additional hints as to the perps if their fingers seem a bit more leaden around mid-morning and all afternoon (Moscow time.)
Security researchers have blown the lid on another Russian cyberspy crew, rated as the most sophisticated yet by security firm FireEye. APT29 – which has only been operational since around the end of last year – uses a strain of malware called Hammertoss. "The group has demonstrated an understanding of network defenders’ …
The malware beacons to custom Twitter handles, where it scans for specific links and hashtags, then goes to Github where it obtains an image that APT29 applies steganography to, to decrypt commands, and finally executes commands on the victim machine before uploading to popular cloud storage services.
This makes as much sense as anything from "Ghost In The Shell: Man-Machine Interface". Can I have this explained, please?
It seems fairly clear to me, unless I've got it wrong.
The malware looks at the posts made by certain Twitter accounts. The account usernames/handles may be fixed or may be generated algorithmically. I'll agree that the use of the word "beacon" isn't clear. The malware could be looking for either public tweets or direct messages that already exist, or it could make tweets or direct messages itself and then wait for responses.
It looks for posts containing certain hashtags and links. Similarly, the hashtags and the format of the links may be fixed or generated algorithmically.
It uses the information in those posts to create links to images stored on Github. The links may have been placed directly into the posts, or the links may be constructed algorithmically from parts of one or more post. It fetches the images from Github. The images contain commands hidden within them.
Some commands will tell the malware what data to exfiltrate, what cloud storage service to send that data to, the account name on that cloud storage service and the password for that account.
The tweets or direct messages, images and cloud storage accounts are created by members of APT29, to be picked up and used by the malware.
In principle, none of this is hard to get working. What's hard is to make it reliable. The software is trying to behave like a user. There are likely to be lots of horrible edge cases. And if one of the services changes slightly, a user will normally take it in their stride. Software is much more brittle. You don't want all your hard work to crumble because Twitter decides to reformat some of its HTML or tweak an API.
state sponsored hacking has become a mainstream form of IT employment, complete with pension plans, scheduled coffee breaks, year-end bonuses and other nice perks?
I still remember when such things were offered by major corporations, but today they only seem to offer massive layoffs, punctuated by temporary employment opportunities for the lowest bidders. Of course, if you want to help build Skynet and have the right connections, you might find some work too.
Face it, the opportunity to work long, stressful hours in a sunless basement (waiting for the knock on the door) will never attract the best talent.
So proletariat of the world, unite ! You have nothing to lose but your chains! And remember, come the revolution, the bean counters will be the first against the wall!
So kids, if you are seeking a lucrative career in IT when you grow up, perhaps you should start looking for a black-hat internship in Moscow or St-Petersburg. You don't even have to move out there. Of course, you could always TRY to bag a more secure, above-ground job option out here in the Wild, Wild West.
Funny how that works, innit?
(hollow laughter in background)