For much of the cybersecurity industry, malware spread via USB drives represents the quaint hacker threat of the past decade—or the one before that. But a group of China-backed spies appears to have figured out that global organizations with staff in developing countries still keep one foot in the technological past, where thumb drives are passed around like business cards and internet cafés are far from extinct. Over the past year, those espionage-focused hackers have exploited this geographic time warp to bring retro USB malware back to dozens of victims’ networks.
At the mWise security conference today, researchers from cybersecurity firm Mandiant revealed that a China-linked hacker group they’re calling UNC53 has managed to hack at least 29 organizations around the world since the beginning of last year using the old-school approach of tricking their staff into plugging malware-infected USB drives into computers on their networks. While those victims span the United States, Europe, and Asia, Mandiant says many of the infections appear to originate from multinational organizations’ Africa-based operations, in countries including Egypt, Zimbabwe, Tanzania, Kenya, Ghana, and Madagascar. In some cases, the malware—in fact, several variants of a more than decade-old strain known as Sogu—appears to have traveled via USB stick from shared computers in print shops and internet cafés, indiscriminately infecting computers in a widespread data dragnet.
Mandiant researchers say the campaign represents a surprisingly effective revival of thumb drive-based hacking that has largely been replaced by more modern techniques, like phishing and remote exploitation of software vulnerabilities. “USB infections are back,” says Mandiant researcher Brendan McKeague. “In today’s globally distributed economy, an organization may be headquartered in Europe, but they have remote workers in regions of the world like Africa. In multiple instances, places like Ghana or Zimbabwe were the infection point for these USB-based intrusions.”
The malware Mandiant found, known as Sogu or sometimes Korplug or PlugX, has been used in non-USB forms by a broad array of largely China-based hacking groups for well over a decade. The remote-access trojan showed up, for instance, in China’s notorious breach of the US Office o...