Steganography, the practice of hiding information, has been around for centuries. More recently, it has been associated with some forms of cyber attacks. Read on to learn more about steganography examples, types of steganography, and steganography in cyber security.
Steganography is the practice of concealing information within another message or physical object to avoid detection. Steganography can be used to hide virtually any type of digital content, including text, image, video, or audio content. That hidden data is then extracted at its destination.
Content concealed through steganography is sometimes encrypted before being hidden within another file format. If it isn’t encrypted, then it may be processed in some way to make it harder to detect.
As a form of covert communication, steganography is sometimes compared to cryptography. However, the two are not the same since steganography does not involve scrambling data upon sending or using a key to decode it upon receipt.
The term ‘steganography’ comes from the Greek words ‘steganos’ (which means hidden or covered) and ‘graphein’ (which means writing). Steganography has been practiced in various forms for thousands of years to keep communications private. For example, in ancient Greece, people would carve messages on wood and then use wax to conceal them. Romans used various forms of invisible inks, which could be deciphered when heat or light were applied.
Steganography is relevant to cybersecurity because ransomware gangs and other threat actors often hide information when attacking a target. For example, they might hide data, conceal a malicious tool, or send instructions for command-and-control servers. They could place all this information within innocuous-seeming image, video, sound, or text files.
Steganography works by concealing information in a way that avoids suspicion. One of the most prevalent techniques is called ‘least significant bit’ (LSB) steganography. This involves embedding the secret information in the least significant bits of a media file. For example:
The same method can be applied to other digital media, such as audio and video, where data is hidden in parts of the file that result in the least change to the audible or visual output.
Another steganography technique is the use of word or letter substitution. This is where the sender of a secret message conceals the text by distributing it inside a much larger text, placing the words at specific intervals. While this substitution method is easy to use, it may also make the text look strange and out of place since the secret words might not fit logically within their target sentences.
Other steganography methods include hiding an entire partition on a hard drive or embedding data in the header section of files and network packets. The effectiveness of these methods depends on how much data they can hide and how easy they are to detect.
From a digital perspective, there are five main types of steganography. These are:
Let’s look at each of these in more detail:
Text steganography involves hiding information inside text files. This includes changing the format of existing text, changing words within a text, using context-free grammars to generate readable texts, or generating random character sequences.
This involves hiding information within image files. In digital steganography, images are often used to conceal information because there are a large number of elements within the digital representation of an image, and there are various ways to hide information inside an image.
Audio steganography involves secret messages being embedded into an audio signal which alters the binary sequence of the corresponding audio file. Hiding secret messages in digital sound is a more difficult process compared to others.
This is where data is concealed within digital video formats. Video steganography allows large amounts of data to be hidden within a moving stream of images and sounds. Two types of video steganography are:
Network steganography, sometimes known as protocol steganography, is the technique of embedding information within network control protocols used in data transmission such TCP, UDP, ICMP, etc.
Steganography and cryptography share the same goal – which is to protect a message or information from third parties – but they use different mechanisms to achieve it. Cryptography changes the information to ciphertext which can only be understood with a decryption key. This means that if someone intercepted this encrypted message, they could easily see that some form of encryption has been applied. By contrast, steganography doesn’t change the format of the information but instead conceals the existence of the message.
There is some overlap between steganography and NFTs or non-fungible tokens. Steganography is a technique for hiding files inside other files, whether that’s an image, a text, a video, or another file format.
When you create an NFT, you usually have the option to add additional content that can only be revealed by the NFT holder. Such content can be anything, including high-definition content, messages, video content, access to secret communities, discount codes, or even smart contracts, or ‘treasures’.
As the art world continues to evolve, NFT techniques change with it. Designing NFTs with private metadata is something we can expect to see more of in the future, and applied in different ways – such as gaming, paywalls, event ticketing and so on.
In recent times, steganography has been mainly used on computers with digital data being the carriers and networks being the high-speed delivery channels. Steganography uses include:
From a cybersecurity perspective, threat actors can use steganography to embed malicious data within seemingly innocuous files. Since steganography requires significant effort and nuance to get right, its use often involves advanced threat actors with specific targets in mind. Here are some ways in which attacks can be delivered via steganography:
Concealing malicious payloads in digital media files
Digital images can be prime targets because they contain a lot of redundant data that can be manipulated without noticeably altering how the image appears. Since their use is so widespread within the digital landscape, image files tend not to raise red flags about malicious intent. Videos, documents, audio files and even email signatures also offer potential alternative mediums for the use of steganography to plant malicious payloads.
Ransomware and data exfiltration
Ransomware gangs have also learned that using steganography can help them carry out their attacks. Steganography can also be used in the data exfiltration stage of a cyberattack. By hiding sensitive data within legitimate communications, steganography provides a means to extract data without being detected. With many threat actors now viewing data exfiltration as the primary objective for cyberattacks, security specialists are getting better at implementing measures to detect when data is being extracted, often by monitoring encrypted network traffic.
Hiding commands in web pages
Threat actors may hide commands for their implants in web pages with whitespace and within debug logs posted to forums, covertly upload stolen data in images, and maintain persistence by storing encrypted code within specific locations.
Threat actors conducting malvertising campaigns can take advantage of steganography. They can embed malicious code inside online banner ads which, when loaded, extract malicious code and redirect users to an exploit kit landing page.
In 2020, Dutch e-commerce security platform Sansec published research which showed that threat actors had embedded skimming malware inside Scalable Vector Graphics (SVG) on e-commerce checkout pages. The attacks involved a concealed malicious payload inside SVG images and a decoder hidden separately on other parts of the webpages.
Users who entered their details on the compromised checkout pages didn’t notice anything suspicious because the images were simple logos from well-known companies. Because the payload was contained within what appeared to be the correct use of SVG element syntax, standard security scanners searching for invalid syntax did not detect the malicious activity.
Also in 2020, a group of hackers hid malware inside a legitimate software update from SolarWinds, maker of a popular IT infrastructure management platform. The hackers successfully breached Microsoft, Intel and Cisco, in addition to various US government agencies. Then, they used steganography to disguise the information they were stealing as seemingly benign XML files served in HTTP response bodies from control servers. The command data within those files was disguised as different strings of text.
Again in 2020, businesses in the United Kingdom, Germany, Italy, and Japan were hit by a campaign using steganographic documents. Hackers avoided detection by using a steganographic image uploaded on reputable image platforms, like Imgur, to infect an Excel document. Mimikatz, a malware that steals Windows passwords, was downloaded via a secret script included in the picture.
The practice of detecting steganography is called ‘steganalysis’. There are various tools that can detect the presence of hidden data, including StegExpose and StegAlyze. Analysts may use other general analysis tools such as hex viewers to detect anomalies in files.
However, finding files that have been modified through steganography is a challenge – not least because knowing where to start looking for hidden data in the millions of images being uploaded on social media every day is virtually impossible.
Using steganography during an attack is relatively easy. Protecting against it is much more complicated, as threat actors are getting more innovative and more creative. Some mitigation measures include: