Persistent spying campaign targets APAC governments


Kaspersky cybersecurity experts have revealed a secret and highly advanced spying campaign called “TetrisPhantom”.

The persistent operation specifically targeted government institutions in the Asia-Pacific (APAC) region, using a unique method involving secure USB drives for data infiltration. Kaspersky’s findings are part of its latest quarterly report on the APT threat landscape.

The clandestine campaign, which was first revealed in early 2023, is orchestrated by an elusive and unidentified threat actor. Its strategic focus on the exploitation of secure USB keys sets this operation apart.

Government organizations commonly use these removable drives to securely store and transfer sensitive data, implying that similar infiltration techniques could affect government entities around the world.

According to Kaspersky, TetrisPhantom deploys a series of malicious modules that allow the attacker to gain extensive control over their victim’s device. This level of control allows execution of commands, extraction of data from compromised systems, and transfer of stolen information using secure USB drives as discreet media.

Additionally, attackers can introduce other malicious files into the infiltrated systems.

Learn more about USB threats: USB drives used as Trojan horses by Camaro Dragon

“Our investigation reveals a high level of sophistication, including virtualization-based software obfuscation, low-level communication with the USB drive using direct SCSI commands, and self-replication via attached and secure USB drives,” noted Noushin Shabab, senior security researcher at Kaspersky Global Research and Analysis Team (GReAT).

“These operations were carried out by a highly skilled and resourceful threat actor with a keen interest in espionage activities within sensitive and protected government networks. »

To protect against these targeted attacks, Kaspersky researchers recommend a proactive approach. This includes keeping software up to date, being cautious of unsolicited requests for sensitive information, providing cybersecurity teams with the latest threat intelligence, upskilling teams, and implementing detection solutions and response to endpoints.

Kaspersky will provide additional information on the TetrisPhantom threat at Security Analyst Summit (SAS) scheduled for October 25-28.

Leave a comment