With the news last week that the Platinum advanced persistent threat (APT) group use steganography to steal information from diplomatic, government and military targets, Deep Secure Pre-Sales Consultant Aaron Mulgrew reflects on how education around these attacks needs to be increased.

Steganography is becoming increasingly popular as a concealment technique of choice for cyber-criminals, and yet it remains one of the most underestimated threats out there. Using steganography, a secret can be concealed in a normal looking file, in a way that gives the perpetrator complete deniability over the presence of a threat. The Platinum Hacking group employed a command and control channel that took advantage of text-based steganography to conceal their communication channel.

Backdoor on the Victim’s Machine

The victim was initially infected via a standard mechanism such as the opening of an attachment as part of a targeted phishing campaign. The attachment contained a backdoor, designed to run on the target’s workstation and receive commands from remote, compromised machines. In this case the remote machines were legitimate – though compromised – web servers.

Text-Based Steganography

The communication between attacker and compromised workstation was concealed using text-based steganography, where instructions were hidden in the ordering of the HTML tags and in the use of space and tab characters in the Web pages hosted by the compromised servers.

Although such an approach has a very low capacity (you need 2 tags – one for 1 and one for zero – for each character of the message you are communicating) is it very hard to detect. Indeed, this compromise uses quite a lot of specialist resources and is truly an advanced attack. ATP groups typically have a short life span because they have to change their code, but the Platinum Hacking group has been around since 2009, a direct result of using innovative evasive techniques such as these.

Monitoring Attacks

Organisations are aware that they need to move beyond detection and embrace new techniques if they are to deal with increasingly sophisticated exploits such as they one performed by the Platinum Hacking group. The good news is that threat prevention technologies such as Deep Secure Content Threat Removal can combat this type of threat, for example by automatically re-ordering HMTL tags during transformation and thus rendering the channel inoperable.

We need to increase education around more sophisticated and undetectable cybersecurity risks, like steganography. Organisations critically need to understand that detection-based defences will not detect and prevent them from falling victim to such attacks, so they can investigate and invest in new and innovative solutions that have the power to eliminate the risk. 

View all posts