FireEye Releases Intelligence Report Highlighting the Clever Tactics of a Likely Kremlin-backed Threat Actor

APT29 Combines Steganography, Cloud Storage, and Social Media Services to Fly Under the Radar of Network Defenders

MILPITAS, CA – July 29, 2015 – FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today's advanced cyber attacks, today released a new Threat Intelligence report titled “HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group.” The report analyzes the functionality and obfuscation tactics of an advanced piece of malware employed by the likely Russian government-backed Advanced Persistent Threat (APT) group APT29.

Operating in its current form since at least 2014, APT29 has demonstrated very strong capabilities to adapt to, and obfuscate their activities from, network defense measures – including aggressively monitoring network defenders and/or forensic investigators and attempting to subvert them. Their discipline in operational security sets them apart even from other Russian APT groups FireEye tracks.

“The novel approach APT29 takes to carry out its attacks and maintain their persistence in networks represents a level of difficulty that security professionals could see trickle down into their own network security operations,” said Laura Galante, director, threat intelligence at FireEye. “As we continue to track APT29, we will be able to bring more intelligence to light that will help our customers improve their defenses against advanced attacks.”

APT29’s HAMMERTOSS is composed of multiple malware tactics to achieve its unique obfuscation goals. HAMMERTOSS follows a step-by-step retrieval of commands via common web services that would typically evade initial detection, including:

  • Beaconing each day to a different, algorithmically-matched Twitter handle for links and hashtags with commands;
  • Following social media links to sites like GitHub that host images with commands hidden within them using a practice known as steganography; and
  • Executing commands and extracting data from the victims’ machines before uploading them to cloud storage services.

The full report, including examples of APT29’s attack lifecycle using HAMMERTOSS, can be accessed at https://www2.fireeye.com/APT29-HAMMERTOSS-WEB-2015-RPT.html.

 

About FireEye, Inc.

FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 3,400 customers across 67 countries, including over 250 of the Fortune 500.

© 2015 FireEye, Inc. All rights reserved. FireEye is a registered trademark or trademark of FireEye, Inc. in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

Contacts:
Vitor De Souza
FireEye
+1 415 699 9398
vitor.desouza@fireeye.com

Kate Patterson
FireEye Investor Relations
+1 408 321 4957
kate.patterson@fireeye.com