What Is Steganography? How to Hide Data Like a Spy

what is steganography Featured Image

Every great spy movie has a hero hiding data to evade the bad guy’s reach. The real world is no different through the power of steganography.

This article answers the question, “What is steganography?” and how can you use it to hide data in the real world? It looks at when you should use steganography, how it differs from cryptography, and how it can be practically applied to text, images, audio, video, files, and network communication. Finally, the article provides real-world examples of when steganography has been used to evade detection and entertain cyber sleuths.

So get your Martini shaken, not stirred, and let’s discover the mysterious world of steganography.

Understanding Steganography

Steganography is the practice of hiding information in plain sight. It involves concealing data you want to keep secret in non-secret data called carrier data (e.g., an inconspicuous image, a popular audio file, or within a text document). By cleverly blending secret and non-secret information, it becomes difficult for a third party to detect the hidden information.

Much like cryptography, concealing sensitive information has been around for a long time and can be used for legitimate or nefarious purposes. However, unlike cryptography, steganography focuses on hiding a message within innocuous carrier data rather than using encryption to protect it.

Understanding Steganography

The general idea is to surround the hidden message with an overwhelming amount of carrier data so that it becomes near impossible to find unless you know what you are looking for, similar to “finding a needle in a haystack.” Steganography is commonly used for:

  • Digital watermarking
  • Data protection
  • Covert communication
  • Hiding sensitive information
  • Evading digital forensics
  • Hiding malicious software

Advantages of steganography:

Covert communications in the open: You can hide messages within carrier data to covertly communicate with someone else across an open medium like the Internet or social media.
Difficult to detect: Unless you know what you are looking for, steganography is near impossible to detect by third-party observers.
Versatile: Steganography can hide data in text, audio messages, video, computer files, and within network communication.
Compatible with other security measures: Steganography can be used with other security measures to add extra protection to sensitive data (e.g., combining steganography with encryption).

Disadvantages of steganography:

Limited capacity: There is a limit on the size and complexity of the information you can hide in carrier data until it is significantly altered and becomes suspicious.
Can be detected: Steganography can be detected, and the hidden message can be exposed if the third party knows the indicators to look for or uses steganography detection tools.
Complex to implement: Implementing steganography can be difficult and usually requires specialized tools.
Can be abused: Steganography can be used by criminals to engage in illicit activity, such as covertly communicating criminal acts, smuggling and extracting sensitive information, and hiding malware.

Types of Steganography

You can discretely hide a message in text, audio messages, video, computer files, and within network communication. Each medium can conceal a hidden message among a sea of carrier data.

Text Steganography

In text steganography, the secret information is hidden within the text of a document. For instance, it is hidden in the text's formatting, punctuation, spacing, or individual characters. The changes made to hide this secret information are designed to be innocuous to a third-party observer, with only someone knowing how the hidden message was concealed being able to reveal it.

This is one of the oldest forms of steganography, and its methods vary quite significantly in complexity. There are simple methods like letter shifting or word substitution that have the potential to be spotted by a well-trained human eye. While there are also more complex methods that use statistical or linguistic analysis to encode the message within the text and require specialized tools to detect.

Tools used to perform text steganography:

You can learn how to use the Snow tool in this video:

Image Steganography

Image steganography hides your secret message inside an image file without noticeably altering the image. The changes within the file are so small that they are imperceptible to a third-party observer who views the image, and without specialized tools, the hidden message is undetectable.

Image steganography is often used to add digital watermarks to images a photographer can protect themselves from someone stealing their work.

Various methods are used to perform image steganography. These include:

  • Least Significant Bit (LSB) insertion: Similar to image compression techniques, this involves substituting the least significant bit of each pixel with a bit from the secret message to have a minimal impact on the pixel’s color.
  • Spread spectrum: Where the secret message is spread across multiple pixels using techniques like frequency domain manipulation or random noise generation so the change to the image is unnoticeable.
  • Transform domain techniques: Where transformations like Discrete Cosine Transform (DCT) or Discrete Fourier Transform (DFT) are used to embed the secret message in the transformed coefficients.

Tools used to perform image steganography:

Watch Nathan House demonstrate image steganography here:

Audio Steganography

Audio steganography is a technique for hiding your secret message within an audio signal without changing the original sound. To extract the secret message, the recipient usually runs the audio file through a specialized tool that extracts the secret message.

Audio steganography can be performed using several different methods, such as:

  • Least Significant Bit (LSB) substitution: Similar to LSB insertion used to perform image steganography, this method substitutes the least significant bits of audio samples with the secret message. These modifications are imperceptible in the audio quality.
  • Phase coding: Where you modify the phase information of the audio signal to encode your secret message. Altering the phase relationships between different audio segments allows you to embed a message without significantly affecting the audio quality.
  • Spread spectrum: This is similar to image steganography, where the secret message is spread across multiple small components within a file. However, the message is spread across multiple frequency components in the audio signal instead of pixels.
  • Echo hiding: Involves inserting echoes or delays in specific parts of the audio signal that are imperceptible to the human ear and mask the secret message with the original audio signal.

Tools used to perform audio steganography:

See how audio steganography can be used in this CTF challenge: 

Video Steganography

In video steganography, you hide your secret message within a video file in a way that does not significantly affect the visual or audio quality. You then use a specialized steganography tool to extract the secret message from the video file.

Video steganography is often used legitimately for adding digital watermarks or copyright protection to film clips. This allows a film studio to track down the offender if their video files are leaked.

There are various methods used to perform video steganography. Some popular ones include:

  • Frame manipulation: This is where individual video frames are modified to embed your secret message. These modifications can alter pixel values, color components, or motion vectors and are all imperceptible when playing the video.
  • Spatial domain techniques: This category of techniques manipulate the individual pixel values of video frames. They include LSB substitution, spatial transformations, and color conversions to embed secret messages.
  • Transform domain techniques: These techniques are similar to those used to perform image steganography, such as Discrete Cosine Transform (DCT), and embed data within the transformed representations of video frames. The Discrete Wavelet Transform (DWT) is specific to video steganography, which embeds data within the transformed coefficients of the video’s audio.
  • Temporal domain techniques: These techniques exploit the temporal properties of video files, such as modifying the timing, order, or duration of video frames to hide your secret message.

Tools used to perform video steganography:

File Steganography

File steganography involves hiding your secret message within the format or structure of a computer file. The secret message is embedded within the file’s metadata rather than the file's actual data. The file can be any type (e.g., audio, video, text, image, etc.).

The methods used to perform file steganography vary based on the type of file the secret message is hidden within. Common methods include:

  • File format-specific techniques: Different file formats have different characteristics and structures that you can hide data within. For instance, some Microsoft documents are XML documents packaged inside a ZIP archive file (e.g., docx, xlsx, etc.). You can hide a secret message within this ZIP archive without affecting the document's data.
  • File container techniques: This involves using a file as a container for your secret message. The message is inserted into specific areas of the file that are unused or the least significant, such as metadata.
  • Encryption-based techniques: This technique is popular in modern steganography tools. They encrypt the secret messages and embed them within the carrier file through file compression.
  • Steganographic file systems: This method is popular among cybercriminals or spies who need to hide secret data on their computer devices. It involves creating a special file system capable of storing and retrieving hidden data spread across the entire file system structure. This makes it difficult to detect without knowing the steganographic scheme used.

Tools used to perform file steganography:

Network Steganography

In network steganography, your secret message is hidden within standard network traffic. This can be within the network communication’s protocols, headers, or data packets. Hackers often use network steganography to exfiltrate data from target networks by blending this mass data transfer with regular network traffic to remain undetected by the blue team.

Common methods for performing network steganography include:

  • Protocol-based steganography: This involves embedding your secret message within the network protocol headers. This information is often not used to its full capacity, so adding your secret message here will not affect the integrity or functionality of the network packet.
  • Payload-based steganography: This is where your secret message is embedded within the network packets' payload. The message is hidden by modifying specific bits, using encryption techniques, or by splitting the message across multiple packets.
  • Timing-based steganography: These techniques embed your secret message in the temporal patterns of network traffic by changing the timing network packets are sent.
  • Traffic concealment techniques: These techniques camouflage your covert communication with normal network traffic by mimicking legitimate traffic, such as packet interval timing, payload sizes, and traffic patterns. They are often used with other steganographic or cryptographic techniques to conceal your data further.

Tools used to perform network steganography:

All these fancy mathematical algorithms and techniques may make it sound like Steganography, and cyber security is difficult to learn. That does not have to be the case, as you can find out in Is Cyber Security Hard To Learn? 

Real-World Usage of Steganography

Now you know how steganography works, let’s look at some real-world use cases, including the Cicada 3301 Internet mystery, a Russian espionage campaign, and how cybercriminals use it to hide malware.

Cicada 3301

Cicada 3301 was an Internet mystery that emerged from several posts on the Internet forums 4chan and Reddit in January 2012. These posts detailed cryptic online puzzles that grew popular due to their complex nature and unknown origins.

Going by “3301,” an anonymous user asked users to solve a series of puzzles involving cryptography, riddles, and steganography. These challenges drew upon various academic disciplines, such as mathematics, computer science, literature, and music. Those who successfully completed a challenge were led to even more challenges hosted on hidden websites or spray-painted in physical locations worldwide.

Cicada 3301 puzzles continued to be released in 2013, 2014, and 2016 with each iteration becoming increasingly more complex and nuanced. It is unknown if anyone ever solved all the puzzles, if there was a prize, or who even created the puzzles and for what purpose. Many have speculated it was an intelligence agency or clandestine organization, and even dedicated communities of enthusiasts are still trying to solve these puzzles today.

For an in-depth examination of the Cicada 3301 mystery, take a look at this YouTube video:

Russian Espionage

Much like cryptography, steganography has long been associated with espionage and spycraft. The ability to hide secret messages in open communication is an incredibly valuable skill for intelligence agencies and spies. Recently, it was uncovered that Russian spies had been hiding secret codes in online photos that were made publicly accessible on the Internet.

The FBI arrested the alleged Russian spies after discovering intelligence suggesting they extracted coded messages from innocuous online images. The nature of this communication remains classified, but this is the first publicly acknowledged use of image steganography over the open Internet to transmit hidden spy messages.

That said, it has been suspected that this form of covert communication has been happening for over a decade, and you can read more about this story in FBI: Russian spies hid codes in online photos.

To learn more about steganography, check out this great talk by the National Security Agency (NSA) - America’s premier cyber spy organization:

Cyber Crime

Cybercriminals have also been making use of steganography. During a cyber attack, the hackers must extract data from target systems and over the target organization’s network. To do this, they need a way to hide this stolen data so the security team defending the organization doesn’t stop their exfiltration activities.

In the past, hackers have used cryptography to hide this stolen data. However, cryptography is easy to detect, and seeing large quantities of encrypted data leave your environment will alert any blue team. As such, hackers are now using steganography to hide this data.

Hackers are implementing network and image steganography in the malware they deploy to hide the information they are stealing. This infographic shows the information-hiding techniques that have been observed in the wild from 2011 to 2017:

Malware/exploit kitSteganography UsedPurpose
Vawtrak/NeverquestImage steganography using LSB applied to faviconsHiding the URL to download a configuration file
ZbotImage steganography applied to JPG filesHiding configuration data
Lurk/StegoloaderImage steganography using LSB applied to BMP/PNG filesHiding encrypted URL for downloading additional malware components
AdGolasImage and text steganography applied to HTML codeHiding encrypted malicious JavaScript code
Fakem.RATNetwork steganography used to mimic MSN and Yahoo Messenger HTTP trafficHiding command and control (C2) traffic
Carbanak/AnunakNetwork steganography used to mimic Google cloud-based servicesHiding C2 traffic
TeslaCryptText steganography applied to HTML comments of the HTTP 404 error message pageEmbedding C2 commands
CerberImage steganographyEmbedding malicious executable
SyncCryptImage steganographyEmbedding core components of the ransomware
Stegano/AstrumImage steganography using modified color space applied to PNG imagesHiding malicious code within banner ads
DNSChargerImage steganography using LSB applied to PNG filesHiding malware AES encryption key
SundownImage steganography applied to white PNG filesExfiltrating user data and hiding exploit code delivered to victims
Taken from the IEEE Computer Society

To learn how you can enter the cyber security field and become a hacker, take a look at Top Entry-Level Cyber Security Certifications for You

Conclusion

Steganography is the art and science of hiding secret information in plain sight. It can involve anything from simple word substitution to complex mathematical equations to data inside images. You have seen how steganography can be applied to text, images, audio, video, files, and network packets, along with various tools that allow you to perform these different types of steganography.

You also saw how steganography is being used in the real world. Internet mysteries, espionage, and cyber crime are all playgrounds for those who want to use steganography. Try giving steganography a go and discover the power of hiding information in plain sight.

If you want to learn more about how you master both performing and detecting steganography, try one of these training courses:

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Adam Goss

    Adam is a seasoned cyber security professional with extensive experience in cyber threat intelligence and threat hunting. He enjoys learning new tools and technologies, and holds numerous industry qualifications on both the red and blue sides. Adam aims to share the unique insights he has gained from his experiences through his blog articles. You can find Adam on LinkedIn or check out his other projects on LinkTree.

>