Uncovering the Secret Weapon of Cyber Espionage: The Humble USB Drive

-




 In the realm of cybersecurity, the tale of malware spreading via trusty old USB drives might seem like a chapter from the bygone past, a relic from a decade or two ago. However, it appears that a group of cyber spies with affiliations to China has unearthed a rather intriguing revelation. They've realized that certain global organizations, especially those with operations in developing nations, still dwell in a digital age where USB thumb drives are exchanged as casually as business cards, and internet cafes are far from extinction. Over the past year, these espionage-minded hackers have exploited this temporal gap to resurrect the classic USB malware, infecting the networks of numerous victims.

At the recent mWise security conference, cybersecurity experts from Mandiant disclosed that a hacker collective known as UNC53, allegedly backed by China, successfully breached at least 29 organizations worldwide since the start of the previous year. Their method? A rather old-school approach of luring unsuspecting staff into plugging malware-infested USB drives into their networked computers. While their victims hail from various corners of the globe, Mandiant's investigation hints at a peculiar pattern – many infections trace their roots to the African operations of multinational organizations. Countries like Egypt, Zimbabwe, Tanzania, Kenya, Ghana, and Madagascar have all witnessed the resurgence of malware, specifically several versions of a more than a decade-old strain called Sogu. It's almost as if these malicious codes hitchhiked on USB sticks from shared computers in print shops and internet cafes, casting a wide and indiscriminate net across a vast data landscape.

Mandiant researchers assert that this campaign represents an unexpectedly successful revival of USB-based hacking, a technique largely overshadowed by more contemporary methods like phishing and exploiting software vulnerabilities from a distance. Brendan McKeague, a researcher at Mandiant, succinctly puts it, "USB infections are back." In today's interconnected world, where organizations have their headquarters in Europe but employ remote workers in places like Africa, it's no surprise that infections can sprout from unconventional locations such as Ghana or Zimbabwe.

The malware at the heart of this resurrection, known as Sogu (or sometimes Korplug or PlugX), has been a favorite tool of numerous Chinese hacking groups for over a decade. This remote-access trojan made headlines during China's notorious breach of the US Office of Personnel Management in 2015 and resurfaced in a widespread espionage campaign in 2017. However, in January of 2022, Mandiant began spotting fresh variants of this trojan, consistently linked to Sogu-infected USB thumb drives in their incident response investigations.

Since then, Mandiant has observed this USB-hacking campaign intensify, infecting new victims, even as recently as this month. Its reach spans across diverse industries, including consulting, marketing, engineering, construction, mining, education, banking, pharmaceuticals, and government agencies. What's intriguing is that many infections seem to have originated from shared computers in internet cafes or print shops, spreading like wildfire, often emanating from seemingly inconspicuous places like the Robert Mugabe Airport in Harare, Zimbabwe. Ray Leong, another researcher at Mandiant, ponders whether these locations were intentional infection points or merely waypoints in the campaign's regional propagation.

It's not entirely clear whether these hackers aimed to leverage their access to a multinational's African operations to target its European or US counterparts. However, it's safe to assume that Africa's strategic and economic significance might have played a role in their motives.

The method employed by the Sogu campaign, spreading malware via USB drives, may appear haphazard for espionage activities. Yet, much like the software supply chain attacks or watering hole attacks orchestrated by Chinese state-sponsored hackers, this approach allows the hackers to cast a wide net, sorting through their victims to identify high-value targets. McKeague and Leong propose that this approach signifies the hackers behind the campaign possess substantial human resources to sift through and analyze the stolen data for valuable intelligence.

The Sogu USB malware employs a series of deceptively simple yet clever tactics to infiltrate machines and pilfer data, even accessing "air-gapped" computers with no internet connection in some cases. When an infected USB drive finds its way into a system, it refrains from immediate action, as most modern Windows machines have autorun features disabled for USB devices by default. Instead, it attempts to dupe users into running an executable file on the drive by naming it after the drive itself or, in the absence of a name, the generic "removable media." This subtle ruse aims to coax users into carelessly clicking on the file when they intend to open the drive. The Sogu malware then discreetly copies itself into a concealed folder on the host machine.

On a typical internet-connected computer, the malware reaches out to a command-and-control server, awaiting instructions to scour the victim's system or transmit its data to the remote server. It also replicates itself onto any other USB drive connected to the same computer, perpetuating its machine-to-machine spread. In instances where the Sogu USB malware lands on an air-gapped computer, it first attempts to activate the victim's Wi-Fi adapter and connect to local networks. If that fails, it stashes the stolen data in a folder on the infected USB drive, preserving it until the drive is connected to an internet-enabled machine, allowing the pilfered data to be dispatched to the command-and-control server.

Sogu's emphasis on espionage and its relatively high incidence of USB-based infections are anomalies in 2023. Its USB-centric propagation is reminiscent of tools like the NSA-created Flame malware, discovered targeting air-gapped systems in 2012, or even the Russian Agent.btz malware detected within Pentagon networks in 2008.

However, the Sogu campaign is just one facet of a more extensive resurgence of USB-based malware that Mandiant has observed in recent years. In 2022, they witnessed a significant uptick in infections caused by a cybercrime-focused USB malware named Raspberry Robin. And in this very year, they've encountered another strain of USB-based espionage malware called Snowydrive, employed in seven network intrusions.

All of this underscores a critical point – network defenders mustn't be deluded into thinking that USB infections are a problem of the past, especially within global networks that encompass operations in developing nations. It's imperative to recognize that state-sponsored hackers are actively conducting espionage campaigns through these innocuous-looking USB sticks. As Ray Leong aptly puts it, "In North America and Europe, we think this is an old infection vector that's been locked down. But there are exposures in this other geography that are being targeted. It's still relevant, and it's still being exploited." Stay vigilant in the ever-evolving landscape of cyber threats.

Comments

Post a Comment

Most Viewed

Qantas Breach: 6 Million Customers at Risk in Major Cyber Attack

-
Image
Date: July 2nd 2025 By: | TheCyberGuyAU Qantas has confirmed a cyber attack has exposed the personal data of millions of its customers — a stark reminder that no brand, no matter how trusted, is immune. What happened? On Monday, Qantas detected unusual activity on a third-party system used by its call centre . That system, now confirmed as compromised, held records for 6 million customers . The initial investigation suggests that a “significant proportion” of the data has been stolen. Names Email addresses Phone numbers Dates of birth Frequent flyer numbers The good news? Qantas says no credit card data, passport numbers, or login credentials were involved. “Our customers trust us with their personal information and we take that responsibility seriously.” — Qantas CEO Vanessa Hudson Who’s behind it? While Qantas has not officially confirmed the group responsible, cybersecurity analysts at CyberCX say the attack has the hallmarks of Scatt...
Read more

The Cloud Computing Revolution: Unleashing the Power of the Cloud

-
Image
  The Cloud Computing Revolution: Unleashing the Power of the Cloud Introduction In our fast-paced digital age, cloud computing has emerged as a transformative force, reshaping the way individuals and businesses access and manage their data and applications. But what exactly is cloud computing, and why has it become an indispensable part of the technological landscape? In this comprehensive guide, we will demystify cloud computing, exploring its various facets, benefits, and the profound impact it has on our daily lives. Understanding the Basics Let's begin by unraveling the fundamental concepts of cloud computing: 1. What Is Cloud Computing? Cloud computing refers to the delivery of computing services—including storage, processing, and software—over the internet. Instead of relying on a local server or personal computer, users tap into a network of remote servers hosted in data centers. 2. Key Components Cloud computing comprises three essential service models: Infrastructure as a...
Read more

Key Reforms Under the Privacy and Other Legislation Amendment Act 2024

-
Image
  Key Reforms Under the Privacy and Other Legislation Amendment Act 2024 1. New Statutory Tort for Serious Invasions of Privacy The Act introduces a new statutory tort , allowing individuals to sue for serious privacy invasions . This includes: Physical privacy violations and misuse of personal information The invasion must be intentional or reckless and serious The individual must have had a reasonable expectation of privacy A public interest test balancing privacy against competing interests Action Steps for Organisations: ✅ Review and update internal privacy policies to address both data breaches and broader privacy concerns , including physical privacy violations. ✅ Conduct regular privacy impact assessments for new projects involving personal data. ✅ Train employees on what constitutes intentional or reckless privacy invasions and how to prevent them. 2. Stronger Enforcement Powers for the OAIC (Office of the Australian Information Commissioner) The OAIC now has enhanced ...
Read more

OAuth Attacks: How Malicious Apps Are Targeting Microsoft 365 and GitHub

-
Image
Cybercriminals are increasingly exploiting OAuth applications as an attack vector to gain unauthorised access to user accounts, steal data, and spread malware . Recent campaigns have shown a growing sophistication in how attackers abuse OAuth permissions to bypass traditional security measures. A recent wave of attacks has leveraged fake OAuth applications impersonating Adobe, DocuSign, and GitHub security alerts . These malicious apps trick users into granting permissions that allow attackers to redirect victims to phishing pages, distribute malware, or gain full access to cloud accounts and repositories . This article breaks down the latest OAuth attack techniques , how they exploit legitimate services , and what organisations can do to mitigate these threats . How Malicious OAuth Attacks Work OAuth is a widely used authorisation framework that allows applications to request access to user accounts without requiring passwords . While OAuth enhances security by reducing crede...
Read more