Steganography Useful for Espionage, Malware and More

Steganography is 2,500 years old, so it has shown itself to have staying power. As our means to communicate change, so does the implementation of steganography. Yet the principle remains constant.

Therefore, it is no surprise that criminal and nation states have kept pace and evolved their capabilities from the analog world to the digital world.

After all, steganography is the “art of hiding something within an object.”

Historical Perspective

An interesting Data Loss Protection (DLP) use of steganography occurred during the tenure of UK Prime Minister Margaret Thatcher. The SANS Institute’s 2001 paper on Steganography details the use to identify those individuals who were releasing information in an unauthorized manner to the press. Thatcher had the word processors programmed to encode their identity in the spacing of words within the documents so that any document shared could be traced back to the originator.

Meanwhile, others have used steganography to move information surreptitiously, either because espionage was being conducted or because censors existed. An example, again from the SANS paper, would be the hiding data within .bmp files, with only a two-bit difference between the original and the steganographic image. In the example, the user stored the entire texts of Hamlet, Julius Caesar, King Lear, Macbeth, Merchant and Notice – 734,891 bytes of text.

And then of course the use of steganography to watermark creative works, has been present for many years. Criminal use in 2001 included: communications, fraud, hacking, electronic payments, gambling, harassment, intellectual property theft, etc.

Steganography Today

The use of steganography in malware is continually being detected, as evidenced by the Japan CERT notifications and blog posts in mid-late 2017 concerning the “Tick” or “Bronze Butler”  which used the Daserf malware with encrypted configuration files and backdoors hidden in images. Japan CERT noted that Japanese industries and corporations were being targeted by this group.

The New Jersey Cybersecurity and Communications Integrated Cell published a warning on the “Stegano Exploit Kit,” in 2016.  Security researchers noted that the Stegano remains active through late-2017. The kit hides pixels within malicious ads and has been used most recently by the AdGholas group which infected users with the Mole ransomware.

While Dark Reading noted three steganographic cyber espionage campaigns active in 2017. These campaigns used steganography to exfiltrate data (as discussed above) in innocuous images or video files.

Similarly, as the cyber criminals are demonstrating their mastery of steganography, one should not be surprised to learn that nation states have also perfected the artform. This was evidenced in 2010, when 10 Russian SVR (external intelligence) officers were arrested, pleaded guilty to espionage and then were sent back to Russia because of an “exchange” between the US and Russia.

The FBI detailed in section three of their criminal complaint how the SVR used unique steganographic software “that is not commercially available.” The SVR’s software made easy the insertion of text data within images and then would place those images on publicly available websites for the intended recipient to view and decrypt the secret messages.

This form of communication was employed between Moscow and these illegal intelligence officers operating under deep cover within the United States. The “software” was found preset on computer disks encountered during lawful searches of the illegal SVR officer.

In a April 2017 piece on the need to localize AI in support of localized detection of malware, Sr. Director Global Services, Scott Scheferman of Cylance notes, how both Twitter and Instagram have been used to “send C2 (command and control) over steganographic media.”

Which begs the question: what’s in your image?

About Christopher Burgess

Christopher Burgess is an author and speaker on the topic of security strategy. Christopher served 30+ years within the Central Intelligence Agency. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, Secrets Stolen, Fortunes Lost - Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008).

The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance.