By Michael Langer, Chief Product Officer, Radiflow
July 20, 2020
If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content.
The use of steganography in OT cyber-attacks
The practice of steganography—concealing messages or information within text or data—is far from new (during the cold war, newspapers and radio shows were regularly used to send coded messages and instructions to spies behind enemy lines.) The modern day version, however, is used not to convey instructions to humans, but as a means of weaponizing seemingly benign files with malware.
In the context of cyber-attacks, steganography is often (but not always) used in conjunction with spear-phishing attacks. The attacker sends an email or other type of message, seemingly from a trustworthy contact, with an intriguing image or common computer file (e.g. spreadsheet or Word document), often accompanied by a call to action (“I couldn’t stop laughing!” or “You really should read this!”) Then, clicking on the image or opening the file triggers an executable containing malicious content.
Steganography enables the attackers to evade some security tools, including network traffic scanners. In the case of images, the malicious data (e.g. PowerShell script) is encoded within specific pixels in publicly hosted images (which makes detection by common network traffic scanners very difficult); in other cases, downloading a file, e.g. MS Word or Excel file, will prompt the user to allow active content (macros) on the document, which, in turn, will activate a malicious payload.
[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]
The nefarious payload itself, if gone undetected, can wreak havoc on both sides of the IT-OT divide: it can change SCADA systems’ operating values or change logics in networked device; on the IT side the malware can open a C&C channel for exfiltrating sensitive corporate data.
According to Kaspersky, up to 50% of steganography attacks targeted industrial organizations. Some of the attacks took advantage of the network interconnectivity between the organization and its smaller vendors/suppliers (which may have weaker protections or email safety policies). By harvesting vendors’ employees’ credentials, attackers are able to remotely wreak havoc on the larger organization’s network.
Workflow of steganography-based cyber-attacks (source: Kaspersky)
This newly-discovered campaign against hardware & software suppliers to industrial enterprises again sheds light on the cyber risk originating from enterprises’ supply chains and partners.
Many sources speculate that these attacks were state-sponsored.
Such attacks may serve a number of purposes:
Prevention & Mitigation
Preventing steganography-based cyber-attacks requires both making sure that employees don’t activate the hidden malware (e.g. by opening a photo or allowing macros in MS Office documents) and, as a second line of defense, had an employee activated the malware, detecting the network activity triggered by the malware.
Conclusion
The slew of attacks described above yet again demonstrates that it is imperative that stakeholders in industrial enterprise cyber security (CISO, OT security manager, Chief Risk officer) manage their organization’s cyber risk properly, validate the security posture of suppliers, monitor 3rd-party network access, and deploy threat detection tools at the production lines to alert on possible exploits
There’s no magic bullet that can prevent steganography-based cyber-attacks prior to activation of the hidden malware contained in the carrier medium. An effective security plan should involve segregating between OT and IT networks (using firewalls & DMZs); raising awareness and educating employees; and installing an IDS (such as Radiflow iSID) that is able to instantly detect network behavior patterns indicating a malware attack.
In the context of cyber-attacks, steganography is often (but not always) used in conjunction with spear-phishing attacks. The attacker sends an email or other type of message, seemingly from a trustworthy contact, with an intriguing image or common computer file , often accompanied by a call to action.
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3