A continuous cyber espionage campaign called TetrisPhantom is targeting government institutions in the Asia-Pacific (APAC) region. The attackers have secretly collected sensitive data from government organizations in APAC by using secure USB drives with hardware encryption, typically used for secure data storage and transmission between computer systems. Kaspersky has identified this campaign in its APT Trends report for the 3rd quarter of 2023 and highlighted the potential for its global expansion due to the widespread use of these secure USB drives in government institutions worldwide.
The sophistication of the campaign suggests the involvement of a nation-state actor, as the attacks were highly targeted and had a limited number of victims. The threat actor behind TetrisPhantom is highly skilled and creative and shows significant interest in espionage within secure government networks.
One of the key features of the campaign is the use of various malicious modules that execute commands, collect data from compromised machines, and can spread the infection to other systems using secure USB drives as vectors. These malicious components can also execute additional malicious files on the infected systems. The attackers employ advanced tools and techniques, including virtualization-based software obfuscation for malware components, self-replication through connected secure USB drives to penetrate air-gapped networks, and injecting code into a legitimate access management program on the USB drive, serving as a loader for malware on a new machine.
At the same time, a new and unknown advanced persistent threat actor (APT), codenamed BadRory, has targeted government institutions, military contractors, universities, and hospitals in Russia. This actor uses spear-phishing emails with prepared Microsoft Office documents to initiate a multi-stage infection scheme that leads to the installation of a new Trojan designed to extract files and execute arbitrary commands on the victim’s machine.
These APT campaigns have a broader geographical reach, with attackers targeting regions such as Europe, South America, the Middle East, and other parts of Asia. Various industries, including government, military, defense, gaming, software, entertainment, utilities, banking, and manufacturing, are affected. Cyber espionage remains a high priority for APT campaigns influenced by geopolitical factors. Therefore, it is crucial to understand the tactics, techniques, and procedures (TTPs) used by these threat actors and remain vigilant against future attacks.