The Resurgence of USB Malware Attacks: A Look at the Chinese Espionage Campaign

• Cyberattack

Recognizing the ongoing relevance of all digital threats is paramount in our interconnected global economy. We delve into the recent resurgence of USB malware attacks, a seemingly antiquated method revived by Chinese espionage hackers.

The Revival of USB-Based Hacking

For many cybersecurity professionals, USB-drive malware represents a nostalgic hacker threat from the past decade. Yet, a China-backed group of spies has exploited the global technological disparities to reintroduce and spread USB malware to dozens of networks. Revealed at the mWise security conference, cybersecurity firm Mandiant identified a China-linked hacker group, referred to as UNC53, which has successfully hacked at least 29 global organizations since early last year using the old-school tactic of tricking staff into plugging malware-infected USB drives into their network computers.

The Sogu Malware and its Global Reach

The malware used, known as Sogu or sometimes Korplug or PlugX, has been adopted by numerous China-based hacking groups for over a decade. This remote-access trojan was in China’s notorious breach of the US Office of Personnel Management in 2015. It was warned about in a broad espionage campaign by the Cybersecurity and Infrastructure Security Agency in 2017. However, in January 2022, Mandiant began to see new versions of the trojan repeatedly showing up in incident response investigations, each time tracing those breaches back to Sogu-infected USB thumb drives.

From consulting and engineering firms to education, banking, and government agencies, the USB-hacking campaign has rapidly escalated, infecting new victims as recently as this month. In many cases, the infection originated from a shared computer at an internet café or print shop, spreading from machines like a publicly accessible internet-access terminal at the Robert Mugabe Airport in Harare, Zimbabwe. This indiscriminate approach to spreading USB infections is surprisingly practical for conducting espionage, allowing hackers to cast a wide net and sift through their victims for specific high-value targets.

The Intricacies of the Sogu USB Malware

The Sogu USB malware employs a series of simple yet clever tricks to infect machines and steal their data. When an infected USB drive is inserted into a system, it does not automatically run, given most modern Windows machines have autorun disabled by default for USB devices. Instead, it attempts to trick users into running an executable file on the drive by naming it after the drive itself or, if the industry has no name, the more generic "removable media." The Sogu malware then copies itself onto a hidden folder on the machine.

The malware communicates with a command-and-control server on an ordinary internet-connected computer, accepting commands to search the victim machine or upload its data to that remote server. If one variant of the Sogu USB malware finds itself on an air-gapped computer, it first attempts to turn on the victim’s Wi-Fi adapter and connect to local networks. If that fails, it stores stolen data in a folder on the infected USB drive itself, storing it there until it’s plugged into an internet-connected machine where the stolen data can be sent to the command-and-control server.

A Call for Vigilance

It is essential to stay vigilant regarding digital security, as there has been a recent increase in USB malware attacks. It's not safe to assume that USB infections are a thing of the past, especially for global networks that operate in developing countries. It's essential to be aware that state-sponsored hackers conduct espionage campaigns using USB sticks. This threat is still relevant and risks our interconnected global economy.