Russians hackers have reportedly been using Britney Spears’ Instagram as a staging ground for hacking operations targeted at foreign governments, military institutions and embassies worldwide. Researchers at the Slovakian security firm, ESET revealed in a blog post on Tuesday that a group of hackers known as Turla, believed to be linked to the Russian government, have been secretly using the comments section of Britney Spears’ Instagram as a bulletin board where coded messages that translate into server addresses are posted.
The apparently nonsensical message, “#2hot make loved to her, uupss #Hot #X,” posted in February by user asmith2155 to the comments section of an Instagram update by Spears, was, in fact, a coded message that translated as the address of the command-and-control server for a hacking operation.
Had Spears seen and read the comment, she would likely have assumed that it was the effort of an incoherent fan and ignored it. But it was an encoded internet address or URL of a central server for a hacking operation, experts claimed.
After compromising a computer, hackers need to infect it with viruses or malware that send back the stolen data. Hackers set up a central server where the hacked information is sent for harvesting. The most effective way to shut down a hacking operation is to locate the command-and-control server and shut it down. Once this is done successfully, the hacking operation is crippled until the hackers are able to set up a new central server.
“#2hot make loved to her, uupss HHot #X”
The message posted by user asmith2155 to the comments section of Britney Spears’ Instagram was an encoded message which translated into the address of the hackers’ central server at the time the message was posted. Hacked machines were then infected with virus programs or malware that could scan Spears’ Instagram account for encoded updates which give the machine information about where to send stolen data after a previous central server has been shut down.
Thus, the hackers were using Spears’ Instagram as a message board for posting information needed to control and coordinate their hacking operation.
The hacking group, Turla, according to experts at ESET, has carried out hacking operations targeted at foreign government institutions and military facilities for years. The group has also targeted foreign embassies in several countries, such as in Europe (Ukraine and Germany), Central Asia, the Middle East, the U.S., and China, according to the U.S. cyber security company, Symantec.
Turla made headlines in 2014 after researchers uncovered the Wipbot malware, a Windows trojan, that was used to infiltrate the systems of embassies and governments in several Eastern European countries, according to ESET research expert Jean-Ian Boutin.
The hackers used Britney Spears’ Instagram because its heavy traffic allowed them to hide coded messages. Spears’ Instagram account, for instance, has 16.9 million followers. The Instagram post that the hackers used had received 420,000 likes and more than 2, 200 comments.
Adopting Spears’ Instagram as a message board for posting coded messages about the location of their central server allowed the hackers to conduct a more flexible and difficult to track operation. The approach made it more difficult to track the hacking operation back to its source since a third party account was being used to relay information. It also enjoyed the added advantage that when new information was posted, the previous one could be deleted, thus erasing evidence of past operations.
ESET experts stressed that the message posted to Spears’ Instagram could not cause the devices of internet users who accessed Spears’ Instagram account and read the message to become infected with malware or compromised in any way. It was merely a message that was posted to instruct compromised machines where to send hacked data.
“There is no active or clickable content in this case, no harm can be done to the account’s followers.”
The experts also noted that the hackers did not delete the information they posted to Spears’ account. This suggested that they were only testing a new communications strategy or conducting tests ahead of the start of a new operation. The discovery, according to experts, also raises the possibility that hackers might have been using the social media accounts of celebrities and other public figures more widely than realized.
ESET said it had previously found encoded addresses on Twitter, but this is the first time that an encoded address has been found concealed in an Instagram account.
[Featured Image by Rich Fury/Getty Images]