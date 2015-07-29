By Joseph Menn
SAN FRANCISCO, July 29 Russian government-backed
hackers who penetrated high-profile U.S. government and defense
industry computers this year used a method combining Twitter
with data hidden in seemingly benign photographs, according to
experts studying the campaign.
In a public report Wednesday, researchers at security
company FireEye Inc said the group used the unusual
tandem as a means of communicating with previously infected
computers. FireEye has briefed law enforcement on what it found.
The technique, uncovered during a FireEye investigation at
an unnamed victim organization, shows how government-backed
hackers can shift tactics on the fly after they are discovered.
"It's striking how many layers of obfuscation that the group
adopts," said FireEye Strategic Analysis Manager Jennifer
Weedon. "These groups are innovating and becoming more
creative."
The machines were given an algorithm for checking a
different Twitter account every day. If a human agent registered
that account and tweeted a certain message, instructions for a
series of actions by the computer would be activated.
The tweeted information included a website address, a number
and a handful of letters. The computer would go to the website
and look for a photo of at least the size indicated by the
number, while the letters were part of a key for decoding the
instructions in a message hidden within the data used to display
the picture on the website.
Weedon said the communication method might have been a
failsafe in case other channels were discovered and cut. Vikram
Thakur, a senior manager at Symantec Corp, said his
team had also found Twitter controls combined with hidden data
in photos, a technique known as steganography.
FireEye identified the campaign as the work of a group it
has been internally calling APT29, for advanced persistent
threat. In April, it said another
Russian-government supported group, APT28, had used a previously
unknown flaws in Adobe Systems Inc.'s Flash software to infect
high-value targets.
Other security firms use different names for the same or
allied groups. Symantec recently reported another data-stealing
tool used in tandem with the steganography, which it calls
Seaduke. Thakur said both tools were employed by the group it
knows as the Duke family.
Thakur said another tool in that kit is CozyDuke, which
Russian firm Kaspersky Lab says is associated with recent
breaches at the State Department and the White House.
(Reporting by Joseph Menn; Editing by Cynthia Osterman)