Nation-state cyber threat groups have once again resorted to using USB drives as a means to infiltrate highly secure government agencies and critical infrastructure facilities. After a period of decline in popularity, exacerbated by the COVID-19 pandemic lockdowns, USB attacks have resurfaced as an effective method for top-tier threat actors to bypass security measures in sensitive organizations.
During a keynote presentation at CPX 2024 in Las Vegas, Maya Horowitz, vice president of research at Check Point, highlighted that USB drives were the primary infection vector for three prominent threat groups in 2023: China’s Camaro Dragon (also known as Mustang Panda, Bronze President, Earth Preta, Luminous Moth, Red Delta, Stately Taurus), Russia’s Gamaredon (aka Primitive Bear, UNC530, ACTINIUM, Shuckworm, UAC-0010, Aqua Blizzard), and the actors behind Raspberry Robin.
Horowitz noted a shift back to USB attacks among threat actors after a period dominated by cyberattacks over the Internet. She explained, “But usually there are fashions with threat actors — one attack is successful, so others will copy it. I think that this is what we’re starting to see with USB drives, resurfacing this attack vector.”
The resurgence of USB threats has raised concerns within the cybersecurity community. Daniel Wiley, Check Point’s head of threat management, shared a troubling incident involving a power company employee who unknowingly introduced a malware-infected USB drive into their network. The employee received a package resembling an Amazon delivery, which contained a new SanDisk USB drive. Upon connecting the USB to their system, it led to a chain reaction that compromised the company’s VPN and exposed sensitive data.
USB attacks are particularly worrisome for critical infrastructure sectors, where IT and OT networks are typically segregated to prevent Internet-based threats. USB drives serve as a conduit to breach these air-gapped networks, as demonstrated by the notorious Stuxnet malware over a decade ago.
The interconnectivity facilitated by USB drives has enabled the rapid spread of malware across various regions. In one instance, a UK hospital employee unknowingly introduced Camaro Dragon malware into their network after attending a conference in Asia and sharing files via a USB drive. The malware acted as a worm, infecting devices and propagating across different countries.
Similarly, the Raspberry Robin ransomware and Gamaredon’s LitterDrifter worm have leveraged USBs to extend their reach globally, affecting organizations in diverse locations such as Chile, Germany, Poland, South Korea, Ukraine, the US, and Vietnam.
To mitigate the risks associated with USB attacks, organizations are advised to implement protective measures. Simple steps like separating personal and work devices, scanning all external media, and enforcing strict removable device policies can help prevent unauthorized access. Critical infrastructure sectors may need to go a step further by implementing sanitation stations, restricting USB usage, and securing ports to prevent unauthorized connections.
In conclusion, the resurgence of USB threats underscores the importance of maintaining robust cybersecurity practices to safeguard against evolving cyber threats. By staying vigilant and implementing appropriate safeguards, organizations can mitigate the risks posed by USB-borne malware and protect their critical systems and data from malicious actors.