By planting a hidden partition on the devices beforehand, advanced persistent threat actors have been able to exfiltrate sensitive government data.

In early 2023, a long-running espionage campaign operated by a previously unknown actor came to the attention of cyber researchers. The attacks centered around a particular type of secure USB drive that governments in the Asia Pacific region used, because it offered hardware encryption to ensure the secure storage and transfer of data between computer systems.

The campaign, dubbed TetrisPhantom, comprises installing a protected partition on the drive that can only be accessed via custom software bundled on an unencrypted part of the USB and via a passphrase known to the user. In this hidden partition are various malicious modules, through which state-sponsored threat actor(s) can gain extensive control over the USB device being used. This would allow command execution, data exfiltration and information retrieval from compromised machines. The stolen information can then be transferred to other machines that employ the same or different secure USB drives, as carriers.

Additionally, the attacks involved virtualization-based software obfuscation for malware components; low-level communication with the USB drive using direct SCSI commands; self-replication to propagate to other air-gapped systems; and injection of code into a legitimate access management program on the USB drive that acts as a loader for the malware on a new machine.

The advanced persistent threat group involved is confirmed to be proficient in executing other malicious files on their highly-targeted quarries.

According to Noushin Shabab, Senior Security Researcher, Global Research and Analysis Team Kaspersky, the firm that announced its research: “Our investigation reveals a high-level of sophistication, including virtualization-based software obfuscation, low-level communication with the USB drive using direct SCSI commands, and self-replication through connected secure USBs. These operations were conducted by a highly skilled and resourceful threat actor, with a keen interest in espionage activities within sensitive and safeguarded government networks.”

Kaspersky researchers have not observed any overlaps with any existing threat actor, but with this attack campaign still ongoing, will continue to track its progress, and expect to see more sophisticated attacks from them in the future. In the meantime, the campaign has highlighted the importance of protecting containerization architecture — whose security is not widely addressed by all endpoint detection and response solutions.