The Threat of Digital Steganography-cloaked Malware to U.S. Critical Infrastructure Systems

What is digital steganography you may be asking and why should you care about it? Well, the short answer to that question is that sometimes what you cannot see can hurt you, badly, in fact. Badly to the extent that hidden malware could seriously cripple many of the U.S. Critical Infrastructure Information Systems (IS), something that our adversaries such as Russia, China, North Korea, and Iran would likely enjoy watching. Cyberspace, referred to as the fifth domain by NATO, is a dangerous place. There is a lot going on behind the scenes of network processes and protocols running silently in the background across networks that you may not be aware of, some of which as recent news headlines have demonstrated are nefarious in nature. Case in point, take digital steganography which is essentially a technique used to hide information in plain sight involving various digital compression algorithm techniques that allow data to be segmented and slightly modifying binary-level bits of data just enough so as to not alter the carrier file’s integrity.

A simple example of Least Significant Bit (LSB) digital steganography is for the steganography application to substitute the right-most or “least significant bit” in an 8-bit Byte of data (NTFS) with the embedded or secret data. For instance, we have a Byte of data of 00010110, but the steganography application algorithm substitutes the LSB as 00010111. This is a very simplified version of the technology involved which would be performed hundreds and thousands of times throughout the carrier file. Essentially though, that is how the LSB digital steganography method functions.

Past Examples

Steganography has been used in the past by malicious insiders to secretly exfiltrate data from companies and even government agencies such as the Department of Justice (DOJ) and in several high-profile child porn cases. Now, however, security researchers have discovered that malware developers and Advanced Persistent Threat (APT) groups are using digital steganography to cloak or mask the presence of malware on networks. Digital steganography has been used in several nasty pieces of malware that are primarily focused on collecting personal or corporate banking information.

The threat of digital steganography is such a serious threat that the National Institute of Standards and Technology (NIST) specifically addressed it in their 2013 Special Publication (SP) 800–53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, which contains an exhaustive catalog listing of security controls designed to best protect Federal IS. NIST specifically addressed the threat of digital steganography in (3) different security controls for protection against the covert exfiltration of information across network boundaries [SC-7(7)], malicious code hidden through the use of digital steganography (SI-3), and information system monitoring [SI-4(18)] to detect covert data exfiltration. The NIST SP 800–53 (rev. 4) security control that pertains to malicious code requires networks to implement real-time scanning of external files at the network boundary firewall (Wingate, 2013).

The obvious rhetorical question is how many U.S. Critical Infrastructure systems are actively scanning for digital steganography application signatures at the network boundary firewall? I am afraid to ask and suspect the answer is few, if any! If that truly is the case, then it is problematic for the sake of national security and U.S. Critical Infrastructure systems.

So how do we protect against this threat?

Cybersecurity best practices are a good place to start, implementing controls such as anti-virus/malware software on computers and also at the network level should catch the known virus/malware signatures. However, some of these malware examples that have been found to have incorporated steganography are not likely to be included in standard anti-virus software virus definitions until they are spotted and reported in the wild. That takes time and resources. In the malware game, the name of the game is how long can it stay hidden without being detected. Adversaries aren’t going to spend time and resources on developing malware only to have it discovered within two weeks of initial deployment. Instead, it is wise to invest in heuristic-based anti-virus/malware and intrusion detection/prevention systems (IDS/IPS) or host-based security systems (HBSS) that are capable of monitoring slight changes in the Operating System (OS) and registry files or memory cache that could signal malware processes.

Software patching is another easy way to protect against malware threats. Malware developers are counting on the fact that millions of systems are not being patched in a timely fashion. Just look at how quickly the WannaCry ransomware spread after the Eternal Blue Windows Server Message Block (SMB) vulnerability was published. Even though a software patch was published for this vulnerability by Microsoft, many people and organizations failed to properly patch their systems in a reasonable amount of time. Critical Infrastructure was also affected by WannaCry, it wasn’t necessarily U.S. Critical Infrastructure, but the United Kingdom (UK) experienced serious issues with hospital networks and had to revert to pen and paper. Lives are on the line, it should go without saying that we’ve got to be quicker to patch systems.

This malware stuff has real-world consequences, people need to understand this and act accordingly. Stuxnet was just the beginning. It only gets more complicated from here. Treat cybersecurity for the very important issue that it is, give it the funding it deserves, give the CISO a seat at the C-suite table. Otherwise, if we don’t give cybersecurity the respect it deserves, we’re living and operating on borrowed time, so-to-speak. How long before international relations with one of our foreign adversaries sours to the point where a cyber attack against U.S. Critical Infrastructure is launched? What happens then? Will that be considered an act of war? How does the U.S. respond, kinetically with planes, missiles, and troops on the ground? Or, do we hack back? Is USCYBERCOM ready to strike offensively with its cyber weaponry? One has to wonder what is in the U.S. cyber weapons arsenal? How will the average U.S. citizen be affected by a cyberwar? All of this is not to paint a bleak, Doomsday type of scenario, but rather it is meant to spark an intelligent discussion on important cybersecurity-related issues affecting Critical Infrastructure.

Perhaps the real question here is why Critical Infrastructure systems (in the U.S. or in other countries) are connected to the Web in the first place? It defies logical reasoning. For the sake of convenience? A quick search of the search engine for Internet-connected devices will yield many U.S. Critical Infrastructure devices and now a security researcher has ill-advisedly developed an application that combines the search engine with Metasploit vulnerabilities (called Autosploit) to create a dangerous piece of software that is capable of untold cyber havoc if it were actually used against Critical Infrastructure. Air-gapping information systems, even industrial control systems (ICS) used to be common sense because there was no Internet to connect them to. Nowadays, however, it seems that trend has evolved and everyone wants Internet-connected everything. Unfortunately, that has proven to be flawed logic though perhaps we don’t want to recognize or accept that fact. Look no further than fitness tracker devices that have inadvertently revealed the GPS location data of overseas U.S. military bases.

Backbone Security has cornered the market for years as being the single vendor option available for any type of comprehensive active network scanning application for steganography application signatures with their Steganography Analyzer Real-Time Scanner (StegAlyzerRTS). This article is not intended to be a sales pitch for Backbone Security, but it does beg the question of why there aren’t more commercial vendors offering these types of services? Does it fall into the “too hard” category? I mean one vendor, seriously? Here again, I think we could stand to improve in that respect so that there is not a monopoly on pricing for this critically important cyber capability for Critical Infrastructure. Perhaps the Federal government could entice some competition by offering tax incentives or something. Typically, the government requires three separate vendors to be considered before a high-dollar amount contract is awarded. Maybe I need to start my own real-time steganography application signature scanning product company…

But what about cyber attribution?

Unfortunately, it is not so easy to attribute cyber attacks to one particular Nation-state threat actor or APT group due to sophisticated software that allows the cyber threat actors (notice I am not using the term “hackers” because not all hackers are bad/evil-intentioned) to route their true Internet Protocol (IP) address through many layers of networks (i.e., onion routing Internet browsers such as used by the Tor, I2P, and Freenet browsers). Malware can be created, sold, purchased and deployed via the Dark Web without anyone knowing of its existence until it surfaces on the Internet and by then it is already too late. Law enforcement agencies and the Intelligence Communities of U.S. and foreign nations have tools to assist in the network forensics of determining cyber attribution, but even then the potential for error is high. There is much to be gained by a foreign adversary penetrating a system of another nation, and then laterally penetrating other systems from which they then use to launch other cyber attacks or cyber network espionage against predetermined targets such as U.S. Defense Industrial Base contractor companies.

My hope with this article is that I’ve given you something new to consider. Another angle from which to view the current state of cyber resiliency and readiness. Cyber threats are real and they won’t stop anytime soon. Would you stop if you were China or Russia? Go ahead America, keep spending the time, money, and resources to develop new technology while we sit back and hack your systems and steal the data for our own uses. I don’t see that changing anytime soon unless we change our cultural mindset. Will you sit on the sidelines doing nothing, or will you do your part to help secure and harden U.S. Critical Infrastructure systems within your organization? Cybersecurity, whether you’re an IA professional or not, really is something that everyone should care about because it can affect you in ways you may have never even imagined. Hopefully, the next time to pull up to that ATM to withdraw personal funds, the U.S. financial systems are not under cyber attack. The same can be said for our electricity, emergency services, water, and wastewater systems. The list of Critical Infrastructure that could potentially be affected is extensive as is contained in the 2013 National Infrastructure Protection Plan (NIPP).