Cybersecurity experts at Kaspersky have uncovered a long-running espionage campaign, ominously dubbed “TetrisPhantom,” which specifically targets government entities in the Asia-Pacific (APAC) Region.
According to its latest quarterly advanced persistent threat (APT) threat landscape report, TetrisPhantom is a “highly sophisticated” and persistent threat with no discernible links to known threat actors.
Operated by a previously unknown actor, the TetrisPhantom campaign came to light early in 2023.
This covert operation involved the exploitation of a particular type of secure USB drive, specifically designed for secure data storage and encryption. These secure USB drives are widely employed by government organizations globally, suggesting the potential for similar techniques to be used against a broader range of entities.
“Further investigation revealed a long-running campaign consisting of various malicious modules, used to execute commands and collect files and information from compromised machines and pass them on to further machines using the same or other secure USB drives as a carrier. They are also capable of executing other malicious files on the infected systems,” the report read.
It added that the attack comprises sophisticated tools and techniques, including virtualization-based software obfuscation for malware components, low-level communication with the USB drive using direct small computer system interface (SCSI) commands, self-replication through connected secure USB drives to propagate to other air-gapped systems and injection of code into a legitimate access management program on the USB drive, which acts as a loader for the malware on a new machine.
“The attacks were extremely targeted and had a quite limited number of victims. Our investigation revealed a high level of sophistication in the malicious tools used in the deployment of the attacks. We believe these attacks have been carried out by a highly skilled and resourceful threat actor interested in espionage activities in sensitive and protected government networks. It is therefore very important to build a deep understanding of the TTPs [tactics, techniques, and procedures] of this threat actor and to watch out for future attacks,” Kaspersky’s report warned.
Noushin Shabab, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT), noted that what is concerning about these attacks is that there is an absence of any known threat actor’s identity, which indicates that his campaign is the work of a new adversary.
“Our investigation reveals a high level of sophistication, including virtualization-based software obfuscation, low-level communication with the USB drive using direct SCSI commands, and self-replication through connected secure USBs. These operations were conducted by a highly skilled and resourceful threat actor, with a keen interest in espionage activities within sensitive and safeguarded government networks,” Shabab explained.
As the TetrisPhantom campaign remains active, experts are closely monitoring its progress and anticipate even more sophisticated attacks in the future, she noted.
Shabab recommended organizations to regularly update their operating system, applications, and antivirus software to patch any known vulnerabilities.
They are also to exercise caution when responding to emails, messages, or calls requesting sensitive information and are recommended to provide their Security Operations Center (SOC) team with access to the latest threat intelligence.
Shabab also proposed organizations to upskill their teams while implementing endpoint-level detection, investigation, and timely incident remediation by deploying solutions such as Kaspersky Endpoint Detection and Response (EDR).
She said by adhering to these measures, organizations could enhance their defenses against emerging threats like TetrisPhantom and protect their sensitive data from espionage attempts targeting government entities in the APAC region.
Image credits: AP/Pavel Golovkin