THE RUNDOWN
Despite constant warnings to disable USB ports, avoid unknown drives, and enable endpoint detection software, removable media still proves to be a cyberspy’s best friend.
In 2023, three USB-enabled malware campaigns were identified by Mandiant, each of which used these devices either to self-propagate or as the initial access vector.
The story of cyber espionage performed through USB drives dates back to 2008 when Pentagon officials first identified that Secret Internet Protocol Router Network (SIPRnet), a secret network, was compromised by Russian hackers.
Since then, USB drives have found themselves at the center of numerous cyber espionage campaigns. One can imagine they’ve become an essential tool for spies.
USB Dropping Effectiveness
Go to any hacker conference and ask a penetration tester what the most successful and simple way to gain access to a corporate network is. Often, the answer you will hear is some variation of a BadUSB attack, dropping a pile of USB sticks outside of the headquarters, or even socially engineering the secretary at the front desk to believe you’re just a generous vendor there to drop off complementary USBs as a gift.
USB drops were even brought into the mainstream by popular television show Mr. Robot, where one of the characters, Darlene, breaches a prison network by littering the outside of the facility with malicious drives.
However, anecdotes are just that. What is the actual success rate for dropped USBs? Is it really that effective?
Elie Bursztein, a cybersecurity expert, decided to test the USB drop and presented his findings at the BlackHat 2016 conference. Dropping 300 devices around the University of Illinois Urbana-Champaign campus, Elie found that of those 300, 98% were picked up. 45% were not only plugged in, but had their files clicked on and opened.
Hopping The Air Gap
When building a highly-secure network, whether for the purpose of document storage, secure transmission, or in an Industrial Controls System (ICS) network, it is best practice to implement what is known as an air gap. Air gapping can be described as physically isolating devices from the outside world.
Malware which spreads via removable media has proven itself immune to the restrictions of air gapping. While this additional layer of security may repel most hackers, nation-state threat actors have stepped up their sophistication to subvert it altogether. A rogue employee, or one who has been socially engineered, may bring a USB right past the air gap and plug the malicious device into the network. This is believed to be how the Stuxnet malware was able to subvert the air gap at the Natanz facility in Iran.
While that may get the malware into the network, it still begs the question, how does the attacker exfiltrate data back over the air gap? Researchers at the Ben Gurion University in Israel have answered just that. Demonstrating a wide variety of methods, they have been able to exfiltrate data over the air gap. One such method is slight changes in screen brightness, another is the use of acoustic data exfiltration over changes in fan speed.
Historical Examples of USB-Based Attacks
SIPRnet Breach (2008)
In 2008 Pentagon officials were left aghast when they discovered that Russian actors had breached the sensitive internal network used by the Department of Defense and State Department.
Detailed in Dark Territory: A History of Cyberwar by Fred Kaplan, spies had gone to kiosks surrounding the NATO headquarters in Kabul and stocked them with cheap, infected USB drives under the assumption that workers at the facility may purchase them and plug them into devices on the secure network.
Their gamble won big—those spies got access to some of the most sensitive networks in the world and an vast trove of documents. Dubbed Agent.btz, the code spread through both classified and unclassified networks with ease.
Agent.btz, was the first known example of a malware spread through an air gapped, or mostly air gapped, network.
Stuxnet (2010)
First discovered in 2010, Stuxnet was a malicious computer worm widely accepted to be a cyberweapon jointly developed by the U.S. and Israel as part of Operation Olympic Games. Believed to have been kickstarted in 2005, the development of the malware took years, and was supposedly mentioned during the presidential handoff from George W. Bush to Barack Obama. Its strategic importance was so vital that it crossed party lines.
Armed with four zero day vulnerabilities, Stuxnet was an extremely sophisticated worm which could systematically destroy nuclear enrichment centrifuges. What made it even more ingenious was its ability to operate without any input, as it would have to act behind the air gap at the Natanz nuclear facility.
The worm was believed to have destroyed over 1000 centrifuges at the Natanz facility, systematically setting back Iran’s nuclear capabilities by years.
G20 Summit (2013)
As world leaders coalesced for the 2013 G20 summit in St. Petersburg, Russia, their delegates were provided with USB drives and phone chargers by the hosts. Alarms were raised by Herman Van Rompuy, president of the European Council, when he approached German and Belgian intelligence services with the suspicious devices.
Reviews conducted by the intelligence services concluded that the devices were capable of collecting both computer and mobile phone data for the purpose of espionage. Now a commonplace tool, sold by the likes of Hak5, it was the first public instance of mobile phone chargers being used to maliciously collect data.
A similar tool was discovered to have been created by the National Security Agency’s (NSA) Tailored Access Operation group (TAO) in the trove of documents leaked by Shadow Brokers in 2017.
Turla (2022)
Turla, a Russian cyber threat group, was no stranger to using any tool, including USBs, at their disposal. As an elite FSB group operating since the late 1990s, they are known for having performed fierce cyber espionage campaigns against over 50 countries.
In 2022, Mandiant discovered an operation by Turla against a Ukrainian organization. Its initial attack vector: a trusty USB drive. The initial infection was believed to have taken place in 2021 when a user opened a malicious link file (LNK) disguised as a folder within the USB drive. Upon opening the file, an ANDROMEDA malware file was automatically installed and began to beacon out.
Using their foothold into the network, the group downloaded and executed KOPILUWAK to facilitate Command-and-Control (C2) functionality and reconnaissance. Performing their reconnaissance, Turla gained an understanding of the network, its hosts, and the architecture. From there, the group introduced QUIETCANARY, a data exfiltration tool, and hastily compressed, staged, and exfiltrated data from the network.
2023 Campaigns
Shuckworm
Another Russian-based group, Shuckworm, has been making their rounds in Ukrainian networks since at least 2014. Ukrainian officials have noted that the group is likely affiliated with the FSB. While they do not use USBs as their initial access vector, the group has been seen implementing self-propagating malware which spreads through the use of USBs.
In a report released by Symantec, Shuckworm gained initial access by launching phishing campaigns. Once inside, additional backdoors would be installed to maintain persistence. Included in the suite of tools downloaded, a Powershell script which is used to spread Pterodo, a backdoor malware, via USB sticks.
The victims of said attacks included Ukrainian military, science, government, and research facilities. The attackers were said to be focused on sensitive machines which held data that could aid the Russian kinetic war effort.
SOGU
One of the most prevalent attacks via USB in recent years, the SOGU malware has been pilfering the secrets of both private and public sector organizations around the world. Uncovered by Mandiant in 2023, the malware has been attributed to TEMP.hex, a China-linked state-sponsored actor.
Most victims of the SOGU malware have been found to be in the pharmaceutical, IT, energy, communications, health, and logistics sectors.
The malicious program drops a batch file in RECYCLE.BIN to perform reconnaissance across the infected host; scanning for MS Office documents, PDFs, and other text files that may contain valuable data. Once it has a set of documents it deems valuable, they will be staged on the C:\ drive and another copy will be put onto the USB flash drive. Eventually, the documents are exfiltrated from the network over HTTP or HTTPS to the C2 server.
Ensuring self-propagation, any new drives connected to the infected host will have a copy of SOGU uploaded to them automatically.
SNOWYDRIVE
UNC4698, a group known to target oil and gas organizations around Asia, has left their mark with SNOWYDRIVE. Another malware identified by Mandiant, SNOWYDRIVE spreads itself through USB drives. Once plugged in, payloads are executed using the Windows Command Prompt, the malware creates local staging directories, and then modifies the Windows registry to maintain persistence.
SNOWYDRIVE includes self-propagation capabilities as well, spreading to any new, infection-free, USB drive plugged into the host. UNC4698’s goal with this malware is simple, data exfiltration.
THE TAKEAWAY
Compromised USBs remain a viable and highly effective attack vector for cyberwarfare and espionage. Their success rate penetrating the target environment makes them a highly preferred method for spies and criminals alike. USB’s have proven themselves to be a significant risk, from low-level criminal attacks to highly complex state-sponsored hacking operations.
While security professionals continue to work to mitigate this risk, the human factor continues to be a proven point of failure.
Since USB drive malware is here to stay, think twice before plugging in a drive.