Clever hackers use a range of techniques to cover their tracks on a target computer, from benign-looking communication protocols to self-erasing software programs.
It’s not very often, though, that digital attackers turn to Morse Code, a 177-year-old signaling system, for operational security. Yet that’s exactly what played a part in a year-long phishing campaign that Microsoft researchers outlined on Thursday.
Morse Code — a method of representing characters with dots and dashes popularized by telegraph technology — was one of several methods that the hackers, whom Microsoft did not identify, used to obscure malicious software. It’s a reminder that, for all of their complexities, modern offensive and defensive cyber measures often rest on the simple concept of concealing and cracking code.
Hackers were sending select targets fake invoices to try to convince them to cough up their passwords and, in some cases, to collect IP addresses and location data of victim machines. The hackers changed their encryption schemes every month to try to hide their activity.
Microsoft analysts likened the malicious attachments the hackers used to steal usernames and passwords from victims, and then to try to gain further access to networks, to a “jigsaw puzzle.”
“[O]n their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions,” Microsoft said in a blog post. “Only when these segments are put together and properly decoded does the malicious intent show.”
Microsoft has yet to attribute the hackers to a known group, according to Christian Seifert, principal research manager at Microsoft’s M365 Security unit. “We believe it is one of the many cybercrime groups that defraud victims for profit,” Seifert said.
Update, 08/13/21: This story has been updated with a comment from Microsoft researcher Christian Seifert.