In early 2023, Kaspersky’s Global Research and Analysis team uncovered a long-running espionage campaign operated by a previously unknown actor. The attacker covertly spied on and harvested sensitive data from APAC government entities by exploiting a particular type of secure USB drive, protected by hardware encryption to ensure the secure storage and transfer of data between computer systems. These secure USB drives are employed by government organizations worldwide, implying that more entities might potentially fall prey to similar techniques.
The campaign comprises various malicious modules, through which the actor can gain extensive control over the victim’s device. This allows them to execute commands, collect files and information from compromised machines, and transfer them to other machines using the same or different secure USB drives as carriers. Additionally, the APT is proficient in executing other malicious files on the infected systems.
Kaspersky researchers report there are a limited number of victims, highlighting the highly targeted nature of the attack.
“Our investigation reveals a high-level of sophistication, including virtualization-based software obfuscation, low-level communication with the USB drive using direct SCSI commands, and self-replication through connected secure USBs. These operations were conducted by a highly skilled and resourceful threat actor, with a keen interest in espionage activities within sensitive and safeguarded government networks,” comments Noushin Shabab, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
Kaspersky researchers have not observed any overlaps with any existing threat actor, but with this attack campaign still ongoing, experts continue to track its progress, and expect to see more sophisticated attacks from them in the future.
Further details on TetrisPhantom will be unveiled at upcoming Security Analyst Summit (SAS), taking place on October 25 – 28. Make sure to secure your spot to learn about latest trends of threat landscape.
To learn more about APT threat landscape in Q3 2023, visit Securelist.com.
In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures: