'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs

We Keep you Connected

'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs

USBs are fetch again, as major APTs from Russia, China, and beyond are turning to them for BYOD cyberattacks.
March 7, 2024
Nation-state cyber threat groups are once again turning to USBs to compromise highly guarded government organizations and critical infrastructure facilities.
Having fallen out of fashion for some time, and certainly not helped by COVID lockdowns, USBs are once again proving an effective way for high-level threat actors to physically bypass security at particularly sensitive organizations.
In a keynote presentation this week at CPX 2024 in Las Vegas, Maya Horowitz, vice president of research at Check Point, noted that USBs represented the primary infection vector for at least three different major threat groups in 2023: China's Camaro Dragon (aka Mustang Panda, Bronze President, Earth Preta, Luminous Moth, Red Delta, Stately Taurus); Russia's Gamaredon (aka Primitive Bear, UNC530, ACTINIUM, Shuckworm, UAC-0010, Aqua Blizzard), and the threat actors behind Raspberry Robin.
"For quite a few years, we didn't really hear about USBs — it was all cyberattacks over the Internet," Horowitz tells Dark Reading. "But usually there are fashions with threat actors — one attack is successful, so others will copy it. I think that this is what we're starting to see with USB drives, resurfacing this attack vector."
How often have you opened your door, seen an Amazon package on your welcome mat, and forgotten what you'd actually ordered two days ago?
"Recently, we worked with a power company where one of the employees received an Amazon box, with Amazon tape," Daniel Wiley, Check Point head of threat management, recalled at a Wednesday presser. "Inside there was a sealed SanDisk USB — completely brand new. He thought his wife ordered it. So he opened it up, plugged it in. Everything else was a chain reaction. It was able to break in across their VPN. Let's just say the power company was not in a good place."
That it was a power company employee was no coincidence — critical industry often separates IT and OT networks with air gaps or unidirectional gateways, through which Internet-based attacks cannot travel. USBs provide a bridge over that gap, as Stuxnet famously demonstrated more than a decade ago.
USB attacks can be useful without that air-gap constraint as well. Consider an employee of a UK hospital, who not long ago attended a conference in Asia. During the conference, he shared his presentation with fellow attendees via a USB drive. Unfortunately, one of his colleagues was infected with Camaro Dragon malware, which the hospital employee then caught and brought back with him to the UK, infecting the hospital's entire corporate network.
As Horowitz recalled in her keynote, the malware opened up a backdoor into newly infected machines but also acted like a worm, transmitting to any new devices coming into contact via USB. This enabled it to spread beyond Western Europe into countries such as India, Myanmar, Russia, and South Korea.
Raspberry Robin has been spreading in much the same way, enabling ransomware actors worldwide. And Gamaredon's USBs have taken its LitterDrifter worm to countries as diverse as Chile, Germany, Poland, South Korea, Ukraine, the US, and Vietnam.
There are simple steps organizations can take to protect against most USB-bound threats, like always separating personal and work devices, and treating the latter with increased care.
"Some organizations only scan files that are downloaded from the Internet," Horowitz said. "That's wrong, because either threat actors or employees that want to cause damage can bring their own USB drive to bypass that security saved for files that are downloaded from the Internet."
Critical infrastructure industries need to go a step further: sanitation stations, strict removable device policies, and tape over a USB port can do the trick in a pinch.
For organizations that don't want to — or can't afford to — give up on removable media, "Bring Your Own Device (BYOD) is OK, you can do it, but it means that you need more security layers," Horowitz tells Dark Reading.
And most important of all: "Check your orders on Amazon before you open them," Wiley quipped.
Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" — an award-winning Top 20 tech podcast on Apple and Spotify — and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.
You May Also Like
Assessing Your Critical Applications’ Cyber Defenses
Unleash the Power of Gen AI for Application Development, Securely
The Anatomy of a Ransomware Attack, Revealed
How To Optimize and Accelerate Cybersecurity Initiatives for Your Business
Building a Modern Endpoint Strategy for 2024 and Beyond
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Industrial Networks in the Age of Digitalization
Zero-Trust Adoption Driven by Data Protection
How Enterprises Assess Their Cyber-Risk
2021 Data Breach Investigations Report (DBIR)
The 2021 Security Outcomes Study
A Solution Guide to Operational Technology Cybersecurity
Demystifying Zero Trust in OT
Strengthen Microsoft Defender with MDR
Mandiant Threat Intelligence at Penn State Health
Migrations Playbook for Saving Money with Snyk + AWS
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.