Every great spy movie has a hero hiding data to evade the bad guy’s reach. The real world is no different through the power of steganography.
This article answers the question, “What is steganography?” and how can you use it to hide data in the real world? It looks at when you should use steganography, how it differs from cryptography, and how it can be practically applied to text, images, audio, video, files, and network communication. Finally, the article provides real-world examples of when steganography has been used to evade detection and entertain cyber sleuths.
So get your Martini shaken, not stirred, and let’s discover the mysterious world of steganography.
Understanding Steganography
Steganography is the practice of hiding information in plain sight. It involves concealing data you want to keep secret in non-secret data called carrier data (e.g., an inconspicuous image, a popular audio file, or within a text document). By cleverly blending secret and non-secret information, it becomes difficult for a third party to detect the hidden information.
Much like cryptography, concealing sensitive information has been around for a long time and can be used for legitimate or nefarious purposes. However, unlike cryptography, steganography focuses on hiding a message within innocuous carrier data rather than using encryption to protect it.
The general idea is to surround the hidden message with an overwhelming amount of carrier data so that it becomes near impossible to find unless you know what you are looking for, similar to “finding a needle in a haystack.” Steganography is commonly used for:
- Digital watermarking
- Data protection
- Covert communication
- Hiding sensitive information
- Evading digital forensics
- Hiding malicious software
Advantages of steganography:
Disadvantages of steganography:
Types of Steganography
You can discretely hide a message in text, audio messages, video, computer files, and within network communication. Each medium can conceal a hidden message among a sea of carrier data.
Text Steganography
In text steganography, the secret information is hidden within the text of a document. For instance, it is hidden in the text's formatting, punctuation, spacing, or individual characters. The changes made to hide this secret information are designed to be innocuous to a third-party observer, with only someone knowing how the hidden message was concealed being able to reveal it.
This is one of the oldest forms of steganography, and its methods vary quite significantly in complexity. There are simple methods like letter shifting or word substitution that have the potential to be spotted by a well-trained human eye. While there are also more complex methods that use statistical or linguistic analysis to encode the message within the text and require specialized tools to detect.
You can learn how to use the Snow tool in this video:
Image Steganography
Image steganography hides your secret message inside an image file without noticeably altering the image. The changes within the file are so small that they are imperceptible to a third-party observer who views the image, and without specialized tools, the hidden message is undetectable.
Image steganography is often used to add digital watermarks to images a photographer can protect themselves from someone stealing their work.
Various methods are used to perform image steganography. These include:
- Least Significant Bit (LSB) insertion: Similar to image compression techniques, this involves substituting the least significant bit of each pixel with a bit from the secret message to have a minimal impact on the pixel’s color.
- Spread spectrum: Where the secret message is spread across multiple pixels using techniques like frequency domain manipulation or random noise generation so the change to the image is unnoticeable.
- Transform domain techniques: Where transformations like Discrete Cosine Transform (DCT) or Discrete Fourier Transform (DFT) are used to embed the secret message in the transformed coefficients.
Tools used to perform image steganography:
Tools used to perform image steganography:
Watch Nathan House demonstrate image steganography here:
Audio Steganography
Audio steganography is a technique for hiding your secret message within an audio signal without changing the original sound. To extract the secret message, the recipient usually runs the audio file through a specialized tool that extracts the secret message.
Audio steganography can be performed using several different methods, such as:
- Least Significant Bit (LSB) substitution: Similar to LSB insertion used to perform image steganography, this method substitutes the least significant bits of audio samples with the secret message. These modifications are imperceptible in the audio quality.
- Phase coding: Where you modify the phase information of the audio signal to encode your secret message. Altering the phase relationships between different audio segments allows you to embed a message without significantly affecting the audio quality.
- Spread spectrum: This is similar to image steganography, where the secret message is spread across multiple small components within a file. However, the message is spread across multiple frequency components in the audio signal instead of pixels.
- Echo hiding: Involves inserting echoes or delays in specific parts of the audio signal that are imperceptible to the human ear and mask the secret message with the original audio signal.
Tools used to perform audio steganography:
See how audio steganography can be used in this CTF challenge:
Video Steganography
In video steganography, you hide your secret message within a video file in a way that does not significantly affect the visual or audio quality. You then use a specialized steganography tool to extract the secret message from the video file.
Video steganography is often used legitimately for adding digital watermarks or copyright protection to film clips. This allows a film studio to track down the offender if their video files are leaked.
There are various methods used to perform video steganography. Some popular ones include:
- Frame manipulation: This is where individual video frames are modified to embed your secret message. These modifications can alter pixel values, color components, or motion vectors and are all imperceptible when playing the video.
- Spatial domain techniques: This category of techniques manipulate the individual pixel values of video frames. They include LSB substitution, spatial transformations, and color conversions to embed secret messages.
- Transform domain techniques: These techniques are similar to those used to perform image steganography, such as Discrete Cosine Transform (DCT), and embed data within the transformed representations of video frames. The Discrete Wavelet Transform (DWT) is specific to video steganography, which embeds data within the transformed coefficients of the video’s audio.
- Temporal domain techniques: These techniques exploit the temporal properties of video files, such as modifying the timing, order, or duration of video frames to hide your secret message.
Tools used to perform video steganography:
File Steganography
File steganography involves hiding your secret message within the format or structure of a computer file. The secret message is embedded within the file’s metadata rather than the file's actual data. The file can be any type (e.g., audio, video, text, image, etc.).
The methods used to perform file steganography vary based on the type of file the secret message is hidden within. Common methods include:
- File format-specific techniques: Different file formats have different characteristics and structures that you can hide data within. For instance, some Microsoft documents are XML documents packaged inside a ZIP archive file (e.g., docx, xlsx, etc.). You can hide a secret message within this ZIP archive without affecting the document's data.
- File container techniques: This involves using a file as a container for your secret message. The message is inserted into specific areas of the file that are unused or the least significant, such as metadata.
- Encryption-based techniques: This technique is popular in modern steganography tools. They encrypt the secret messages and embed them within the carrier file through file compression.
- Steganographic file systems: This method is popular among cybercriminals or spies who need to hide secret data on their computer devices. It involves creating a special file system capable of storing and retrieving hidden data spread across the entire file system structure. This makes it difficult to detect without knowing the steganographic scheme used.
Tools used to perform file steganography:
Network Steganography
In network steganography, your secret message is hidden within standard network traffic. This can be within the network communication’s protocols, headers, or data packets. Hackers often use network steganography to exfiltrate data from target networks by blending this mass data transfer with regular network traffic to remain undetected by the blue team.
Common methods for performing network steganography include:
- Protocol-based steganography: This involves embedding your secret message within the network protocol headers. This information is often not used to its full capacity, so adding your secret message here will not affect the integrity or functionality of the network packet.
- Payload-based steganography: This is where your secret message is embedded within the network packets' payload. The message is hidden by modifying specific bits, using encryption techniques, or by splitting the message across multiple packets.
- Timing-based steganography: These techniques embed your secret message in the temporal patterns of network traffic by changing the timing network packets are sent.
- Traffic concealment techniques: These techniques camouflage your covert communication with normal network traffic by mimicking legitimate traffic, such as packet interval timing, payload sizes, and traffic patterns. They are often used with other steganographic or cryptographic techniques to conceal your data further.
Tools used to perform network steganography:
All these fancy mathematical algorithms and techniques may make it sound like Steganography, and cyber security is difficult to learn. That does not have to be the case, as you can find out in Is Cyber Security Hard To Learn?
Real-World Usage of Steganography
Now you know how steganography works, let’s look at some real-world use cases, including the Cicada 3301 Internet mystery, a Russian espionage campaign, and how cybercriminals use it to hide malware.
Cicada 3301
Cicada 3301 was an Internet mystery that emerged from several posts on the Internet forums 4chan and Reddit in January 2012. These posts detailed cryptic online puzzles that grew popular due to their complex nature and unknown origins.
Going by “3301,” an anonymous user asked users to solve a series of puzzles involving cryptography, riddles, and steganography. These challenges drew upon various academic disciplines, such as mathematics, computer science, literature, and music. Those who successfully completed a challenge were led to even more challenges hosted on hidden websites or spray-painted in physical locations worldwide.
Cicada 3301 puzzles continued to be released in 2013, 2014, and 2016 with each iteration becoming increasingly more complex and nuanced. It is unknown if anyone ever solved all the puzzles, if there was a prize, or who even created the puzzles and for what purpose. Many have speculated it was an intelligence agency or clandestine organization, and even dedicated communities of enthusiasts are still trying to solve these puzzles today.
For an in-depth examination of the Cicada 3301 mystery, take a look at this YouTube video:
Russian Espionage
Much like cryptography, steganography has long been associated with espionage and spycraft. The ability to hide secret messages in open communication is an incredibly valuable skill for intelligence agencies and spies. Recently, it was uncovered that Russian spies had been hiding secret codes in online photos that were made publicly accessible on the Internet.
The FBI arrested the alleged Russian spies after discovering intelligence suggesting they extracted coded messages from innocuous online images. The nature of this communication remains classified, but this is the first publicly acknowledged use of image steganography over the open Internet to transmit hidden spy messages.
That said, it has been suspected that this form of covert communication has been happening for over a decade, and you can read more about this story in FBI: Russian spies hid codes in online photos.
To learn more about steganography, check out this great talk by the National Security Agency (NSA) - America’s premier cyber spy organization:
Cyber Crime
Cybercriminals have also been making use of steganography. During a cyber attack, the hackers must extract data from target systems and over the target organization’s network. To do this, they need a way to hide this stolen data so the security team defending the organization doesn’t stop their exfiltration activities.
In the past, hackers have used cryptography to hide this stolen data. However, cryptography is easy to detect, and seeing large quantities of encrypted data leave your environment will alert any blue team. As such, hackers are now using steganography to hide this data.
Hackers are implementing network and image steganography in the malware they deploy to hide the information they are stealing. This infographic shows the information-hiding techniques that have been observed in the wild from 2011 to 2017:
Malware/exploit kit | Steganography Used | Purpose |
Vawtrak/Neverquest | Image steganography using LSB applied to favicons | Hiding the URL to download a configuration file |
Zbot | Image steganography applied to JPG files | Hiding configuration data |
Lurk/Stegoloader | Image steganography using LSB applied to BMP/PNG files | Hiding encrypted URL for downloading additional malware components |
AdGolas | Image and text steganography applied to HTML code | Hiding encrypted malicious JavaScript code |
Fakem.RAT | Network steganography used to mimic MSN and Yahoo Messenger HTTP traffic | Hiding command and control (C2) traffic |
Carbanak/Anunak | Network steganography used to mimic Google cloud-based services | Hiding C2 traffic |
TeslaCrypt | Text steganography applied to HTML comments of the HTTP 404 error message page | Embedding C2 commands |
Cerber | Image steganography | Embedding malicious executable |
SyncCrypt | Image steganography | Embedding core components of the ransomware |
Stegano/Astrum | Image steganography using modified color space applied to PNG images | Hiding malicious code within banner ads |
DNSCharger | Image steganography using LSB applied to PNG files | Hiding malware AES encryption key |
Sundown | Image steganography applied to white PNG files | Exfiltrating user data and hiding exploit code delivered to victims |
To learn how you can enter the cyber security field and become a hacker, take a look at Top Entry-Level Cyber Security Certifications for You
Conclusion
Steganography is the art and science of hiding secret information in plain sight. It can involve anything from simple word substitution to complex mathematical equations to data inside images. You have seen how steganography can be applied to text, images, audio, video, files, and network packets, along with various tools that allow you to perform these different types of steganography.
You also saw how steganography is being used in the real world. Internet mysteries, espionage, and cyber crime are all playgrounds for those who want to use steganography. Try giving steganography a go and discover the power of hiding information in plain sight.
If you want to learn more about how you master both performing and detecting steganography, try one of these training courses: