clock menu more-arrow no yes mobile

Filed under:

Britney Spears’s Instagram is secretly being used by Russian hackers

A screenshot of Britney Spears’s Instagram page
A screenshot of Britney Spears’s Instagram on Thursday.

In order to hack foreign governments, military officials, and embassies, Russian hackers are now using Britney Spears in their operations by posting cryptic comments on her Instagram photos.

Hackers at Turla, a group believed to be linked to Moscow, are using Instagram comments on Britney Spears’s photos to control their hacking operation, said researchers at Slovakian security firm ESET in a report on Tuesday.

Here’s the comment that was posted in February (and has since been deleted) on a photo Spears posted in January:


By Instagram user asmith2155: #2hot make loved to her, uupss #Hot #X

The comment doesn’t make sense and doesn’t seem threatening to the untrained eye. But, according to ESET, it’s key to the hackers’ success.

The process for how the whole operation works is complicated.

After compromising computers, hackers need a way to send them instructions and get data back. They often set up a command and control server to do this. Security professionals defending against cyberattacks usually try to find the central server and shut it down in hopes of crippling the entire network.

The comment on Britney Spears’s photo is a clever strategy for announcing the location of a new command and control server after the previous one gets shut down. When decoded, it’s actually the central server’s internet address.

Compromised machines are programmed to periodically scan for these specially-targeted comments on the Spears Instagram page so they’re able to continue communicating with the hackers even after the initial command and control server gets shut down.

Turla has a long history of attacking governments and organizations. It previously targeted embassies in Ukraine, China, Germany and several other countries, a state electrical authority in the Middle East, and a medical organization in the US, according to Symantec, a security software company based in the US.

According to experts, Turla is likely linked to the Russian government. "It is sophisticated malware that's linked to other Russian exploits, uses encryption and targets western governments,” said Jim Lewis, a former US foreign service officer, in a Reuters article. “It has Russian paw prints all over it."

So why are the Russian hackers now targeting an American pop star’s Instagram account?

The answer is simple: Web traffic from users around the world is constantly flowing through Instagram. It would be incredibly easy to hide malicious comments and links on photos posted by celebrities.

For example, Britney Spears currently has 16.9 million Instagram followers. The post that was targeted has more than 420,000 likes and 2,200 comments. That makes it much harder for defenders to track hackers’ actions — if it wasn’t for ESET’s research, that one comment would’ve been lost.

Another reason is that it’s very easy for the hackers to delete a comment, which would erase any trace of a hacking attempt. After deleting the comment, they could easily post another comment that would lead to a new central server. In this case, the hackers didn’t delete the comment, and ESET believe it was just a test of their new way of communicating.

The discovery raises questions about what else is hiding in the comment sections of celebrities’ social media pages and how Russian hackers are getting creative to avoid tracking.

Sign up for the newsletter Sign up for Vox Recommends

Get curated picks of the best Vox journalism to read, watch, and listen to every week, from our editors.