Have you ever thought that the digital files you usually handle might carry more than they were intended to? It might be a picture you share on social media, a video, or even a song… How do people conceal information in a seemingly harmless file? And why? Welcome to the world of secret messages and steganography.
What is steganography?
- Steganography is the practice of concealing a message, file, image, or video within another medium to prevent detection. Unlike cryptography, which obscures the content of a message, steganography obscures the existence of the message itself.
Steganography is an ancient technique that was already in use in Ancient Greece. Hidden messages were tattooed on a slave’s scalp and concealed by regrown hair for secret communication. In World War II, invisible inks and microdots were used by spies to carry tactical messages.
In the modern era, these techniques have evolved to the digital world: digital files such as images, audio, videos, or even network traffic are used as carriers of hidden messages or other files entirely.
Key concepts of steganography
- Carrier or cover medium: the file or object used to hide the secret data (e.g., JPEG, MP3, video file).
- Payload: the hidden data (e.g., text, image, or malware).
- Stego object: the final file after embedding the payload into the carrier.
- Embedding: the process of hiding data.
- Extraction: the process of retrieving hidden data.
Types of steganography
Steganography can be of different types, depending on the type of carrier used for concealing the payload:
Tools for steganography
There are some popular tools used for steganography. Here’s a list of the most common:
- Steghide hides data in BMP and WAV files with optional AES encryption.
- OpenStego is a Java-based tool for embedding messages in images.
- zsteg detects LSB steganography in PNG/BMP (especially useful in CTFs).
- OutGuess is used for hiding information in JPEG images.
- SilentEye is a GUI-based tool for audio and image steganography.
Steganography or cryptography?
Steganography and cryptography often work together. Steganography hides the existence of a message, while cryptography protects the contents of the message. Steganography is hard to detect if done well, while cryptography is obvious once it’s intercepted.
Many modern threat actors combine steganography with encryption, creating layers of concealment (e.g., malware hidden inside an encrypted image).
Steganography and cybersecurity
- Steganography is widely used for malware delivery through common digital objects: threat actors (e.g., APTs) use steganography techniques to hide payloads in images uploaded to public platforms.
- Steganography is also used in espionage as it’s an effective technique for exfiltrating sensitive information over innocent-looking media.
- Hackers can also use stenographic channels for C2 Communication, passing commands for remote execution to their target machines.
Some notable examples of the use of steganography to carry out attacks are found in cyberwarfare and crimes against the machine. For example, the Turla APT group used PNG files to hide encrypted commands, and APT29 (Cozy Bear) used steganography in malware campaigns targeting governments.
Detecting steganography: Steganalysis
Is it possible to detect messages hidden through steganography? Different techniques can be used for these purposes, and they go under the name of steganalysis.
- Visual inspection: detecting distortions in images or unusual file sizes.
- Statistical analysis: examining LSB patterns, histogram shifts.
- Machine Learning (ML): used for automated stego-object detection.
- Hash comparison: comparing known file hashes to identify modified carriers.
- Toolkits: like StegExpose, zsteg, and binwalk.
- Steganalysis is the science of detecting the presence of hidden information within digital files—without necessarily knowing the embedding method or payload. It’s often used in digital forensics, malware analysis, and cybercrime investigations.
Steganalysis can be effective under certain conditions: if the hiding technique is known or weak, if the stego object shows anomalies, when comparative analysis is possible, or if automated tools are successful.
It becomes complicated when the payload is small and well distributed, when advanced techniques are used, when there is layered encryption, or when the payload is embedded in metadata.