You can’t study covert communications for long without coming across steganography. It’s been used in different forms throughout the largest wars in recorded history to convey information between allies without arousing suspicion among the enemy.
In World War II, allied armies exchanged information by hiding images and words in photosensitive glass that would only reveal its message once heated to a high temperature. Even Leonardo Da Vinci used steganography to embed a secret message in ‘The Last Supper’.
Steganography is an ancient practice. The term is Greek in origin, derived from the words στεγανός which means ‘to conceal’, and γράφω which means ‘to write’. Broadly defined, steganography is the practice of concealing secret messages in an ordinary file, message, image or video.
The first recorded uses of steganography can be traced back to 440 BC when Herodotus mentioned two examples in his ‘Histories’. The first example concerned Histiaeus sending a message to Aristagoras by shaving the head of his most trusted servant, writing the message on his scalp, and then sending him on his way once the hair had grown back. The second, perhaps better-known example is when Demaratus used wax tablets to send a warning about a forthcoming attack to Greece.
Today, Steganography is widely used with reference to cyber criminals when describing their tactics, techniques, and procedures (TTPs).
Whilst steganography and cryptograhy are often used interchangeably, they shouldn't be confused with one another. They both refer to secret communication, but there’s a fundamental difference separating them.
Where steganography attempts to conceal the existence of a message so that it cannot be found, cryptography attempts to obscure the content of a message so that it cannot be decoded or understood. To put it another way, steganographic messages are invisible to the casual observer, but legible once located. Conversely, encrypted messages are seldom disguised (and therefore visible to all), but impossible to read without a key.
The obvious advantage of steganography over cryptography is that the secret message does not attract attention to itself. Encrypted messages – no matter how unbreakable – naturally arouse interest.
When combined, steganography and cryptography can provide two levels of security. Data encryption can be performed by a piece of software, and then the cipher text can be embedded in an image or any other media with the help of a stego key. The combination of the two methods will enhance the security of the data embedded.
A representation of a combined concept of steganography and cryptography can be seen below:
Cyber criminals have been using steganography for some time now to trick victims and smuggle malicious payloads past security scanners and firewalls. The first known use of steganography in a cyber attack was in 2011 with the Duqu malware. Duqu encrypted and embedded data into a JPEG file and sent it to the attackers’ controlled C2 server as an image, therefore raising no suspicion.
Similarly, in 2014 a malware was discovered that used an algorithm to embed encrypted downloader URLs into an image file by manipulating individual pixels. The Lurk malware used steganography to embed data into an image, which helped to avoid detection within compromised environments and therefore prolong its longevity. According to Dell researcher Brett Stone-Gross, ‘steganography can make it exceedingly difficult to detect the presence of hidden information such as a configuration file, binary update, or bot command, especially in digital files. As a result, the use of steganography in malware may become more prevalent in the future’.
The potential damage a steganographically hidden malware is capable of inflicting can be catastrophic. In the 2006 Operation Shady RAT, the Trojan.Downbot virus infected computers in numerous organisations around the globe including the United Nations, the US Federal Government, and economic trade organisations. JPEG and HTML files encoded with commands granted remote servers control over mainframe computers. It took the affected institutions months to recover, not to mention the reputational damage.
Steganography, however, has not only been used to hide malware in plain sight. Network-based steganography – the hiding of information within ordinary network transmissions – can be used during the data exfiltration stage. It is becoming more prevalent among threat actors. Network steganography is particularly attractive because there is no limit in principle to the amount of data that can be exfiltrated, unlike on a USB stick, for example. Whilst in the past TCP/IP protocols have been widely exploited, in recent years the focus has shifted to higher layer applications and services, such as Skype, Torrent, and Google search. This trend has been moving towards new network environments, such as cloud computing.
According to McAfree Lab’s June 2017 Threat Detection report, steganography is being used in a more diverse range of attacks than ever. Instead of being exclusively reserved for the TTPs of sophisticated threat actors, steganography now appears in low-level cyber attacks such as malvertising, phishing, and man-in-the-middle attacks. This proliferation has been attributed to the alleged commoditisation of steganograhic attacks. If a particular technique is easy to execute, cyber criminals can sell instructions to non-technical audiences on underground forums. The spread of these techniques can also be attributed to the continuous improvement of cyber security defences.
Is there a way to mitigate against attacks that use steganographic techniques? Possible mitigations may include limiting network access, actively monitoring who is interacting with the network, restricting file adjustments/conversions, preventing the downloading of applications capable of creating steganography, or sanitising data before it leaves the network. Though these measures may not directly prevent this type of methodology they are effective defence strategies and go a long way in reducing the chances of a successful attack.