Microsoft catches hackers using Morse Code to help cover their tracks

Modern offensive and defensive cyber measures often rest on the simple concept of concealing and cracking code.
Morse Code
Telegraph technology helped popularize Morse Code. (Getty Images)

Clever hackers use a range of techniques to cover their tracks on a target computer, from benign-looking communication protocols to self-erasing software programs.

It’s not very often, though, that digital attackers turn to Morse Code, a 177-year-old signaling system, for operational security. Yet that’s exactly what played a part in a year-long phishing campaign that Microsoft researchers outlined on Thursday.

Morse Code — a method of representing characters with dots and dashes popularized by telegraph technology — was one of several methods that the hackers, whom Microsoft did not identify, used to obscure malicious software. It’s a reminder that, for all of their complexities, modern offensive and defensive cyber measures often rest on the simple concept of concealing and cracking code.

Hackers were sending select targets fake invoices to try to convince them to cough up their passwords and, in some cases, to collect IP addresses and location data of victim machines. The hackers changed their encryption schemes every month to try to hide their activity.


Microsoft analysts likened the malicious attachments the hackers used to steal usernames and passwords from victims, and then to try to gain further access to networks, to a “jigsaw puzzle.”

“[O]n their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions,” Microsoft said in a blog post. “Only when these segments are put together and properly decoded does the malicious intent show.”

Microsoft has yet to attribute the hackers to a known group, according to Christian Seifert, principal research manager at Microsoft’s M365 Security unit. “We believe it is one of the many cybercrime groups that defraud victims for profit,” Seifert said.

Update, 08/13/21This story has been updated with a comment from Microsoft researcher Christian Seifert.


Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts