Chinese Spies Infected Dozens of Networks With Thumb Drive Malware

6 days ago 14

For overmuch of the cybersecurity industry, malware dispersed via USB drives represents the quaint hacker menace of the past decade—or the 1 earlier that. But a radical of China-backed spies appears to person figured retired that planetary organizations with unit successful processing countries inactive support 1 ft successful the technological past, wherever thumb drives are passed astir similar concern cards and net cafés are acold from extinct. Over the past year, those espionage-focused hackers person exploited this geographic clip warp to bring retro USB malware backmost to dozens of victims’ networks.

At the mWise information league today, researchers from cybersecurity steadfast Mandiant revealed that a China-linked hacker radical they’re calling UNC53 has managed to hack astatine slightest 29 organizations astir the satellite since the opening of past twelvemonth utilizing the old-school attack of tricking their unit into plugging malware-infected USB drives into computers connected their networks. While those victims span the United States, Europe, and Asia, Mandiant says galore of the infections look to originate from multinational organizations’ Africa-based operations, successful countries including Egypt, Zimbabwe, Tanzania, Kenya, Ghana, and Madagascar. In immoderate cases, the malware—in fact, respective variants of a much than decade-old strain known arsenic Sogu—appears to person traveled via USB instrumentality from shared computers successful people shops and net cafés, indiscriminately infecting computers successful a wide information dragnet.

Mandiant researchers accidental the run represents a amazingly effectual revival of thumb drive-based hacking that has mostly been replaced by much modern techniques, similar phishing and distant exploitation of bundle vulnerabilities. “USB infections are back,” says Mandiant researcher Brendan McKeague. “In today’s globally distributed economy, an enactment whitethorn beryllium headquartered successful Europe, but they person distant workers successful regions of the satellite similar Africa. In aggregate instances, places similar Ghana oregon Zimbabwe were the corruption constituent for these USB-based intrusions.”

The malware Mandiant found, known arsenic Sogu oregon sometimes Korplug oregon PlugX, has been utilized successful non-USB forms by a wide array of mostly China-based hacking groups for good implicit a decade. The remote-access trojan showed up, for instance, successful China’s notorious breach of the US Office of Personnel Management successful 2015, and the Cybersecurity and Infrastructure Security Agency warned astir it being utilized again successful a broad espionage run successful 2017. But successful January of 2022, Mandiant began to spot caller versions of the trojan repeatedly showing up successful incidental effect investigations, and each clip it traced those breaches to Sogu-infected USB thumb drives.

Since then, Mandiant has watched that USB-hacking run ramp up and infect caller victims arsenic precocious arsenic this month, stretching crossed consulting, marketing, engineering, construction, mining, education, banking, and pharmaceuticals, arsenic good arsenic authorities agencies. Mandiant recovered that successful galore cases the corruption had been picked up from a shared machine astatine an net café oregon people shop, spreading from machines similar a publically accessible internet-access terminal astatine the Robert Mugabe Airport successful Harare, Zimbabwe. “That’s an absorbing lawsuit if UNC53’s intended corruption constituent is simply a spot wherever radical are traveling regionally passim Africa oregon adjacent perchance spreading this corruption internationally extracurricular of Africa,” says Mandiant researcher Ray Leong.

Leong notes that Mandiant couldn’t find whether immoderate specified determination was an intentional corruption constituent oregon “just different halt on the mode arsenic this run was propagating passim a peculiar region.” It besides wasn’t wholly wide whether the hackers sought to usage their entree to a multinational’s operations successful Africa to people the company’s European oregon US operations. In immoderate cases astatine least, it appeared that the spies were focused connected the African operations themselves, fixed China’s strategical and economical involvement successful the continent.

Read Entire Article