Steganography, the practice of hiding information, has been around for centuries. More recently, it has been associated with some forms of cyber attacks. Read on to learn more about steganography examples, types of steganography, and steganography in cyber security.
What is steganography?
Steganography is the practice of concealing information within another message or physical object to avoid detection. Steganography can be used to hide virtually any type of digital content, including text, image, video, or audio content. That hidden data is then extracted at its destination.
Content concealed through steganography is sometimes encrypted before being hidden within another file format. If it isn’t encrypted, then it may be processed in some way to make it harder to detect.
As a form of covert communication, steganography is sometimes compared to cryptography. However, the two are not the same since steganography does not involve scrambling data upon sending or using a key to decode it upon receipt.
The term ‘steganography’ comes from the Greek words ‘steganos’ (which means hidden or covered) and ‘graphein’ (which means writing). Steganography has been practiced in various forms for thousands of years to keep communications private. For example, in ancient Greece, people would carve messages on wood and then use wax to conceal them. Romans used various forms of invisible inks, which could be deciphered when heat or light were applied.
Steganography is relevant to cybersecurity because ransomware gangs and other threat actors often hide information when attacking a target. For example, they might hide data, conceal a malicious tool, or send instructions for command-and-control servers. They could place all this information within innocuous-seeming image, video, sound, or text files.
How steganography works
Steganography works by concealing information in a way that avoids suspicion. One of the most prevalent techniques is called ‘least significant bit’ (LSB) steganography. This involves embedding the secret information in the least significant bits of a media file. For example:
- In an image file, each pixel is made up of three bytes of data corresponding to the colors red, green, and blue. Some image formats allocate an additional fourth byte to transparency, or ‘alpha’.
- LSB steganography alters the last bit of each of those bytes to hide one bit of data. So, to hide one megabyte of data using this method, you would need an eight-megabyte image file.
- Modifying the last bit of the pixel value doesn’t result in a visually perceptible change to the picture, which means that anyone viewing the original and the steganographically-modified images won’t be able to tell the difference.
The same method can be applied to other digital media, such as audio and video, where data is hidden in parts of the file that result in the least change to the audible or visual output.
Another steganography technique is the use of word or letter substitution. This is where the sender of a secret message conceals the text by distributing it inside a much larger text, placing the words at specific intervals. While this substitution method is easy to use, it may also make the text look strange and out of place since the secret words might not fit logically within their target sentences.
Other steganography methods include hiding an entire partition on a hard drive or embedding data in the header section of files and network packets. The effectiveness of these methods depends on how much data they can hide and how easy they are to detect.
Types of steganography
From a digital perspective, there are five main types of steganography. These are:
- Text steganography
- Image steganography
- Video steganography
- Audio steganography
- Network steganography
Let’s look at each of these in more detail:
Text steganography
Text steganography involves hiding information inside text files. This includes changing the format of existing text, changing words within a text, using context-free grammars to generate readable texts, or generating random character sequences.
Image steganography
This involves hiding information within image files. In digital steganography, images are often used to conceal information because there are a large number of elements within the digital representation of an image, and there are various ways to hide information inside an image.
Audio steganography
Audio steganography involves secret messages being embedded into an audio signal which alters the binary sequence of the corresponding audio file. Hiding secret messages in digital sound is a more difficult process compared to others.
Video steganography
This is where data is concealed within digital video formats. Video steganography allows large amounts of data to be hidden within a moving stream of images and sounds. Two types of video steganography are:
- Embedding data in uncompressed raw video and then compressing it later
- Embedding data directly into the compressed data stream
Network steganography
Network steganography, sometimes known as protocol steganography, is the technique of embedding information within network control protocols used in data transmission such TCP, UDP, ICMP, etc.
Steganography vs. cryptography
Steganography and cryptography share the same goal – which is to protect a message or information from third parties – but they use different mechanisms to achieve it. Cryptography changes the information to ciphertext which can only be understood with a decryption key. This means that if someone intercepted this encrypted message, they could easily see that some form of encryption has been applied. By contrast, steganography doesn’t change the format of the information but instead conceals the existence of the message.
Steganography and NFTs
There is some overlap between steganography and NFTs or non-fungible tokens. Steganography is a technique for hiding files inside other files, whether that’s an image, a text, a video, or another file format.
When you create an NFT, you usually have the option to add additional content that can only be revealed by the NFT holder. Such content can be anything, including high-definition content, messages, video content, access to secret communities, discount codes, or even smart contracts, or ‘treasures’.
As the art world continues to evolve, NFT techniques change with it. Designing NFTs with private metadata is something we can expect to see more of in the future, and applied in different ways – such as gaming, paywalls, event ticketing and so on.
Uses of steganography
In recent times, steganography has been mainly used on computers with digital data being the carriers and networks being the high-speed delivery channels. Steganography uses include:
- Avoiding censorship: Using it to send news information without it being censored and without fear of the messages being traced back to their sender.
- Digital watermarking: Using it to create invisible watermarks that do not distort the image, while being able to track if it has been used without authorization.
- Securing information: Used by law enforcement and government agencies to send highly sensitive information to other parties without attracting suspicion.
How steganography is used to deliver attacks
From a cybersecurity perspective, threat actors can use steganography to embed malicious data within seemingly innocuous files. Since steganography requires significant effort and nuance to get right, its use often involves advanced threat actors with specific targets in mind. Here are some ways in which attacks can be delivered via steganography:
Concealing malicious payloads in digital media files
Digital images can be prime targets because they contain a lot of redundant data that can be manipulated without noticeably altering how the image appears. Since their use is so widespread within the digital landscape, image files tend not to raise red flags about malicious intent. Videos, documents, audio files and even email signatures also offer potential alternative mediums for the use of steganography to plant malicious payloads.
Ransomware and data exfiltration
Ransomware gangs have also learned that using steganography can help them carry out their attacks. Steganography can also be used in the data exfiltration stage of a cyberattack. By hiding sensitive data within legitimate communications, steganography provides a means to extract data without being detected. With many threat actors now viewing data exfiltration as the primary objective for cyberattacks, security specialists are getting better at implementing measures to detect when data is being extracted, often by monitoring encrypted network traffic.
Hiding commands in web pages
Threat actors may hide commands for their implants in web pages with whitespace and within debug logs posted to forums, covertly upload stolen data in images, and maintain persistence by storing encrypted code within specific locations.
Malvertising
Threat actors conducting malvertising campaigns can take advantage of steganography. They can embed malicious code inside online banner ads which, when loaded, extract malicious code and redirect users to an exploit kit landing page.
Examples of steganography used in cyber attacks
E-commerce skimming
In 2020, Dutch e-commerce security platform Sansec published research which showed that threat actors had embedded skimming malware inside Scalable Vector Graphics (SVG) on e-commerce checkout pages. The attacks involved a concealed malicious payload inside SVG images and a decoder hidden separately on other parts of the webpages.
Users who entered their details on the compromised checkout pages didn’t notice anything suspicious because the images were simple logos from well-known companies. Because the payload was contained within what appeared to be the correct use of SVG element syntax, standard security scanners searching for invalid syntax did not detect the malicious activity.
SolarWinds
Also in 2020, a group of hackers hid malware inside a legitimate software update from SolarWinds, maker of a popular IT infrastructure management platform. The hackers successfully breached Microsoft, Intel and Cisco, in addition to various US government agencies. Then, they used steganography to disguise the information they were stealing as seemingly benign XML files served in HTTP response bodies from control servers. The command data within those files was disguised as different strings of text.
Industrial enterprises
Again in 2020, businesses in the United Kingdom, Germany, Italy, and Japan were hit by a campaign using steganographic documents. Hackers avoided detection by using a steganographic image uploaded on reputable image platforms, like Imgur, to infect an Excel document. Mimikatz, a malware that steals Windows passwords, was downloaded via a secret script included in the picture.
How to detect steganography
The practice of detecting steganography is called ‘steganalysis’. There are various tools that can detect the presence of hidden data, including StegExpose and StegAlyze. Analysts may use other general analysis tools such as hex viewers to detect anomalies in files.
However, finding files that have been modified through steganography is a challenge – not least because knowing where to start looking for hidden data in the millions of images being uploaded on social media every day is virtually impossible.
Mitigating steganography-based attacks
Using steganography during an attack is relatively easy. Protecting against it is much more complicated, as threat actors are getting more innovative and more creative. Some mitigation measures include:
- Cybersecurity training can raise awareness of the risks involved in downloading media from untrusted sources. It can also teach people how to spot phishing emails which contain malicious files, and understand the prevalence of steganography as a cyber threat. On a basic level, teach individuals to look out for images with an unusually large file size, as that could indicate the presence of steganography.
- Organizations should implement web filtering for safer browsing and should also stay up to date with the latest security patches when updates are available.
- Companies should use modern endpoint protection technologies that go beyond static checks, basic signatures, and other outdated components as code hidden in images and other forms of obfuscation are more likely to be detected dynamically by a behavioral engine. Companies should focus their detection efforts directly at the endpoints where encryption and obfuscation are easier to detect.
- Companies should also use threat intelligence from multiple sources to keep updated with trends, including cyber attacks affecting their industry where steganography has been observed.
- Using a comprehensive antivirus solution will help to detect, quarantine, and delete malicious code from your devices. Modern antivirus products update themselves automatically, to provide protection against the latest viruses and other types of malware.
Related products:
Further reading: