Cybersecurity experts at Kaspersky have unveiled a covert and highly advanced espionage campaign, codenamed “TetrisPhantom.”
The persistent operation has specifically targeted government institutions in the Asia-Pacific region (APAC), utilizing a unique method involving secure USB drives for data infiltration. Kaspersky’s findings are part of their latest quarterly APT threat landscape report.
The clandestine campaign, which first came to light in early 2023, is orchestrated by an elusive and unidentified threat actor. Its strategic focus on exploiting secure USB drives sets this operation apart.
Government organizations commonly use these removable drives to securely store and transfer sensitive data, implying that similar infiltration techniques could affect government entities worldwide.
According to Kaspersky, TetrisPhantom deploys a range of malicious modules that allow the attacker to gain extensive control over their victim’s device. This level of control enables the execution of commands, data extraction from compromised systems and transfer of pilfered information using secure USB drives as discreet carriers.
Furthermore, the attackers can introduce other malicious files into the infiltrated systems.
“Our investigation reveals a high level of sophistication, including virtualization-based software obfuscation, low-level communication with the USB drive using direct SCSI commands and self-replication through connected, secure USBs,” noted Noushin Shabab, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
“These operations were conducted by a highly skilled and resourceful threat actor, with a keen interest in espionage activities within sensitive and safeguarded government networks.”
To shield against these targeted attacks, Kaspersky researchers advocate a proactive approach. This includes maintaining up-to-date software, exercising caution with unsolicited requests for sensitive information, providing cybersecurity teams with the latest threat intelligence, enhancing team skills and implementing endpoint detection and response solutions.
Kaspersky will provide additional information about the TetrisPhantom threat at the Security Analyst Summit (SAS) scheduled for October 25–28.