‘Platinum’ hackers are back
The group uses steganography to fly under the security radar, say Kaspersky researchers
Researchers from the global cybersecurity company Kaspersky say they have uncovered a highly sophisticated cyber espionage campaign aimed at stealing information from South Asian diplomatic, government and military entities.
The campaign lasted almost six years and had ties to other recent attacks detected in the region, according to Kaspersky. Further investigation into the tools and methods used led researchers to conclude that the attacker is the Platinum group — a cyber espionage actor that they thought had disappeared.
For the activity to remain unseen for such a long time, the group encoded its information using a technique called steganography, which conceals the fact that there is any information there at all.
Steganography involves hiding secret data
within an ordinary, non-secret file or message in order to avoid detection. In other words, the very fact that data is being sent is disguised. In this way it differs from cryptography, which only conceals the data.
By using steganography, cyber espionage perpetrators can remain in an infected system for a very long time without arousing any suspicion. This was the method used by the Platinum group, a cyberthreat collective acting against governments and related organisations in South and Southeast Asia, whose last known activity had been reported back in 2017.
In the case of the newly discovered Platinum operation, the malware commands were embedded in the HTML code of a website. The tab and space bar keys on a keyboard do not change how HTML code is reflected on a web page, so the hackers encoded the commands in a specific sequence of these two keys.
As a result, the commands were almost impossible to detect in the network traffic, as the malware merely appeared to access an unsuspicious website that was unnoticeable in the overall traffic.
To detect the malware, researchers had to check programs that were capable of uploading files to a device. Among them, they noticed one that acted strangely — for instance, it accessed the public cloud service Dropbox for administration and was programmed to work only at certain times.
The researchers later realised this was done to hide the malware activity among processes operating during normal working hours, when its behaviour wouldn’t arouse suspicion. In fact the downloader was exfiltrating and uploading data and files to and from the infected device.
“Throughout its known existence, Platinum’s campaigns have been elaborate and thoroughly crafted. The malware used in this attack is no exception — apart from the steganography, it had other features that allowed it to fly and operate under the radar for a long time,” said Alexey Shulmin, a security researcher at Kaspersky.
“For example, it could transfer commands not only from the command centre, but also from one infected machine to another. In this way, they could reach devices that were part of the same infrastructure as the attacked devices, but which were not connected to the internet.
“All in all, seeing threat actors like Platinum using steganography is a sign that advanced persistent threats are increasing the sophistication of their methods significantly to fly under the radar, and security vendors should keep it in mind when developing their security solutions.”
To reduce the risk of falling victim to sophisticated cyber espionage operations, Kaspersky recommends taking the following measures:
Implement [security awareness training] for staff, explaining how to recognise and avoid potentially malicious applications or files. For example, employees should not download and launch any apps or programs from untrusted or unknown sources.
In addition to adopting essential endpoint protection, use a corporate-grade security solution that detects advanced threats on the network level at an early stage.
To read the full report, visit Securelist.com