A malicious player, dubbed ‘TetrisPhantom,’ targets government entities in the Asia-Pacific region (APAC) by launching persistent campaigns compromising a secure USB drive, used to provide encryption for safe data storage. Kaspersky details the discovery in their new quarterly APT threat landscape report.
Attack strategy
TetrisPhantom harvested sensitive data from APAC government entities by exploiting a particular type of secure USB drive employed by government organisations worldwide. The attacker can gain control over the victims’ device allowing them to execute commands, and collect files and information to transfer them from one machine to another using USB drives.
“Our investigation reveals a high level of sophistication, including virtualisation-based software obfuscation, low-level communication with the USB drive using direct SCSI commands, and self-replication through connected secure USBs. These operations were conducted by a highly skilled and resourceful threat actor, with a keen interest in espionage activities within sensitive and safeguarded government networks,” said Noushin Shabab, senior security researcher at Kaspersky’s Global Research and Analysis Team (GReAT).
Kaspersky researchers found that TetrisPhantom does not overlap with any existing threat actor. Its progress is still being monitored as more complex attacks are expected in the future.
Countermeasures
Kaspersky recommends regularly updating operating systems, applications, and antivirus software, being cautious of emails, messages, or calls asking for sensitive information, providing SOC teams with access to the latest threat intelligence (TI), upskilling cybersecurity teams, and implementing EDR solutions.