Hammertoss – What you need to know

Consider for a moment the possibility that your PC has been attacked by malware. You might think that you would notice eventually if there was something that infiltrated your PC’s defenses. True, you might not have your Aha! moment for a few days or so, but sooner or later, it would register that you have been the victim of a security breach.

Hello, Hammertoss

But you probably would never notice if your PC were to fall victim to the new malware attack out of Russia, dubbed Hammertoss. Hammertoss, which can affect computers running Windows OS is unique in that it basically mimics the schedule and habits of the infiltrated computer’s user in such a way that it blends supremely into the background. It watches for patterns in computer usage and then acts in accordance with those patterns to avoid detection, making it one fine spy.

Sort of like Swan Lake, if Swan Lake were dangerous…

According to FireEye, the security firm that discovered the attacks, Hammertoss is the work of a government-backed group of hackers in Russia referred to as APT 29. ATP stands for Advanced Persistent Threat, and they are the 29th group to be labeled as APT perpetrators by FireEye. Though it’s a catchy name, it’s clearly not one they gave themselves. APT 29 has long been known for their sophistry in concealment and Hammertoss doesn’t disappoint in that regard. The attack contains two separate aspects, the malware with which it infiltrates a computer or network, and the elaborate system of commands that cleverly mask its presence on a machine. Each aspect of the system of commands is not new in and of itself but it’s how they come together like a graceful Russian ballet that makes this attack a particular tour de force.

Twitter Trouble

First the attack will create a Twitter handle using the Twitter account on the infected computer. Each day a new handle is created using a special algorithm. When the hackers want to communicate with Hammertoss they use the Twitter account that was created that day. The hackers send instructions in a tweet with a URL. That URL, which is to be opened in Github (an open-source repository for software developer) contains an image with encrypted data and a hashtag. The hashtag contains some additional instructions of how to view the content.

To the untrained eye, all the tweet contains is an image and a gibberish hashtag, a pretty solid way to remain incognito, to be sure. Once all the instructions have been sent out and the information retrieved, Hammertoss uploads the information to cloud servers where hackers are waiting to pick it up.

Hammertoss and you (you should be a-okay)

So should you start fretting about the possibility that your PC and Twitter accounts will become the next victims of Hammertoss? Well don’t worry just yet. Hammertoss is only being used to attack a small group of highly valuable targets, and nothing personal here, but chances are that you are not one of them. According a report from Cnet.com, FireEye researcher Jordan Berry said “They use it sparingly so that it remains effective…When they really need to avoid detection, they pull out the big guns.”

Hammertoss and governments in which Russia has interest (they aren’t so a-okay)

Then it’s not surprising that Hammertoss is being linked to the so-called “cyber intrusion” of the Pentagon on July 25, 2015, which shut down the Agency’s email for 2 weeks. According to breaking reports on CNBC.com, the attack “affected some 4,000 military and civilian personnel who work for the Joint Chiefs of Staff.” Reports are still trickling in and according to officials “It appears the cyberattack relied on some kind of automated system that rapidly gathered massive amounts of data and within a minute distributed all the information to thousands of accounts on the Internet. The officials also report the suspected Russian hackers coordinated the sophisticated cyber assault via encrypted accounts on social media.” Nothing has been confirmed as of yet but it sure does sounds like the work of none other than Hammertoss.

Great, now what?

Only time will tell but if this was the work of Hammertoss or some other variant, known or unknown. But now that it’s been discovered chances are APT 29 will change-up their methods to avoid detection. All this just proves that threats evolve as technology advances and will never stagnate. We have to stay on our toes and rise up to a constantly changing landscape.



Leave a Reply