Government entities in the Asia-Pacific (APAC) region are the target of a long-running cyber espionage campaign dubbed TetrisPhantom.
“The attacker covertly spied on and harvested sensitive data from APAC government entities by exploiting a particular type of secure USB drive, protected by hardware encryption to ensure the secure storage and transfer of data between computer systems,” Kaspersky said in its APT trends report for Q3 2023.
The Russian cybersecurity firm, which detected the ongoing activity in early 2023, said the USB drives offer hardware encryption and are employed by government organizations worldwide to securely store and transfer data, raising the possibility that the attacks could expand in the future to have a global footprint.
The clandestine intrusion set has not been linked to any known threat actor or group, but the high-level of sophistication of the campaign points to a nation-state crew.
“These operations were conducted by a highly skilled and resourceful threat actor, with a keen interest in espionage activities within sensitive and safeguarded government networks,” Noushin Shabab, senior security researcher at Kaspersky, said. “The attacks were extremely targeted and had a quite limited number of victims.”
A key hallmark of the campaign is the use of various malicious modules to execute commands and collect files and information from compromised machines and propagate the infection to other machines using the same or other secure USB drives as a vector.
The malware components, besides self-replicating through connected secure USB drives to breach air-gapped networks, are also capable of executing other malicious files on the infected systems.
“The attack comprises sophisticated tools and techniques,” Kaspersky said, adding the attack sequences also entailed the “injection of code into a legitimate access management program on the USB drive which acts as a loader for the malware on a new machine.”
The disclosure comes as a new and unknown advanced persistent threat (APT) actor has been linked to a set of attacks targeting government entities, military contractors, universities, and hospitals in Russia via spear-phishing emails containing booby-trapped Microsoft Office documents.
“This initiates a multi-level infection scheme leading to the installation of a new Trojan, which is primarily designed to exfiltrate files from the victim’s machine and gain control by executing arbitrary commands,” Kaspersky said.
The attacks, codenamed BadRory by the company, played out in the form of two waves – one in October 2022, followed by a second in April 2023.