Obfuscation or cryptography

Obfuscation is the act of creating communications that are more difficult to understand. Encryption transforms the communications such that it requires a key to reverse the encryption. [1]

ID: T1313

Tactic: Adversary Opsec

Version: 1.0

Examples

NameDescription
Cleaver

Cleaver has used zhCat to encrypt traffic or use inline obfuscation to make detection more difficult. zhCat makes message traffic look benign.[2]

Detection

Detectable by Common Defenses (Yes/No/Partial): No

Explanation: Techniques and signatures are hard to detect. Advanced communications and exfiltration channels are nearly indistinguishable from background noise.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Known approaches include the use of cryptography for communications, rotating drops sites (such as random list of chat fora), and one-time [https://aws.amazon.com/s3/ Simple Storage Service (S3)] buckets, etc. All require sophisticated knowledge, infrastructure, and funding.

References

  1. FireEye, Inc. (2014). APT 28: A Window into Russia’s Cyber Espionage Operations?. Retrieved March 1, 2017.