For much of the cybersecurity industry, malware spread via USB drives represents the quaint hacker threat of the past decade—or the one before that. But a group of China-backed spies appears to have figured out that global organizations with staff in developing countries still keep one foot in the technological past, where thumb drives are passed around like business cards and internet cafés are far from extinct. Over the past year, those espionage-focused hackers have exploited this geographic time warp to bring retro USB malware back to dozens of victims’ networks.
At the mWise security conference today, researchers from cybersecurity firm Mandiant revealed that a China-linked hacker group they’re calling UNC53 has managed to hack at least 29 organizations around the world since the beginning of last year using the old-school approach of tricking their staff into plugging malware-infected USB drives into computers on their networks. While those victims span the United States, Europe, and Asia, Mandiant says many of the infections appear to originate from multinational organizations’ Africa-based operations, in countries including Egypt, Zimbabwe, Tanzania, Kenya, Ghana, and Madagascar. In some cases, the malware—in fact, several variants of a more than decade-old strain known as Sogu—appears to have traveled via USB stick from shared computers in print shops and internet cafés, indiscriminately infecting computers in a widespread data dragnet.
Mandiant researchers say the campaign represents a surprisingly effective revival of thumb drive-based hacking that has largely been replaced by more modern techniques, like phishing and remote exploitation of software vulnerabilities. “USB infections are back,” says Mandiant researcher Brendan McKeague. “In today’s globally distributed economy, an organization may be headquartered in Europe, but they have remote workers in regions of the world like Africa. In multiple instances, places like Ghana or Zimbabwe were the infection point for these USB-based intrusions.”
The malware Mandiant found, known as Sogu or sometimes Korplug or PlugX, has been used in non-USB forms by a broad array of largely China-based hacking groups for well over a decade. The remote-access trojan showed up, for instance, in China’s notorious breach of the US Office of Personnel Management in 2015, and the Cybersecurity and Infrastructure Security Agency warned about it being used again in a broad espionage campaign in 2017. But in January of 2022, Mandiant began to see new versions of the trojan repeatedly showing up in incident response investigations, and each time it traced those breaches to Sogu-infected USB thumb drives.
Since then, Mandiant has watched that USB-hacking campaign ramp up and infect new victims as recently as this month, stretching across consulting, marketing, engineering, construction, mining, education, banking, and pharmaceuticals, as well as government agencies. Mandiant found that in many cases the infection had been picked up from a shared computer at an internet café or print shop, spreading from machines like a publicly accessible internet-access terminal at the Robert Mugabe Airport in Harare, Zimbabwe. “That’s an interesting case if UNC53’s intended infection point is a place where people are traveling regionally throughout Africa or even possibly spreading this infection internationally outside of Africa,” says Mandiant researcher Ray Leong.
Leong notes that Mandiant couldn’t determine whether any such location was an intentional infection point or “just another stop along the way as this campaign was propagating throughout a particular region.” It also wasn’t entirely clear whether the hackers sought to use their access to a multinational’s operations in Africa to target the company’s European or US operations. In some cases at least, it appeared that the spies were focused on the African operations themselves, given China’s strategic and economic interest in the continent.
The new Sogu campaign’s method of spreading USB infections might seem a particularly indiscriminate way to conduct espionage. But, like the software supply chain attacks or watering hole attacks that Chinese state-sponsored spies have repeatedly carried out, this approach may allow the hackers to cast a wide net and sort through their victims for specific high-value targets, McKeague and Leong suggest. They also argue that it means the hackers behind the campaign likely have significant human resources to “sort and triage” the data they steal from those victims to find useful intelligence.
The Sogu USB malware uses a series of simple but clever tricks to infect machines and steal their data, including in some cases even accessing “air-gapped” computers with no internet connection. When an infected USB drive is inserted into a system, it doesn’t automatically run, given that most modern Windows machines have autorun disabled by default for USB devices. Instead, it tries to trick users into running an executable file on the drive by naming that file after the drive itself or, if the drive has no name, the more generic “removable media”—a ruse designed to fool the user into unthinkingly clicking the file when they attempt to open the drive. The Sogu malware then copies itself onto a hidden folder on the machine.
On a normal internet-connected computer, the malware beacons to a command-and-control server, then starts accepting commands to search the victim machine or upload its data to that remote server. It also copies itself to any other USB drive inserted into the PC to continue its machine-to-machine spread. If one variant of the Sogu USB malware instead finds itself on an air-gapped computer, it first attempts to turn on the victim’s Wi-Fi adapter and connect to local networks. If that fails, it puts stolen data in a folder on the infected USB drive itself, storing it there until it’s plugged into an internet-connected machine where the stolen data can be sent to the command-and-control server.
Sogu’s focus on espionage and the relatively high number of USB-based infections is a rare sight in 2023. Its USB propagation is more reminiscent of tools like the NSA-created Flame malware that was discovered targeting air-gapped systems in 2012, or even the Russian Agent.btz malware that was found inside Pentagon networks in 2008.
Surprisingly, however, the Sogu campaign is just part of a broader resurgence of USB malware that Mandiant has spotted in recent years, the researchers say. In 2022, for instance, they saw a massive spike in infections from a piece of cybercrime-focused USB malware known as Raspberry Robin. And just this year, they spotted another strain of USB-based espionage malware known as Snowydrive being used in seven network intrusions.
All of this, McKeague and Leong argue, means that network defenders shouldn’t fool themselves into thinking that USB infections are a solved problem—particularly in global networks that include operations in developing countries. They should be aware that state-sponsored hackers are carrying out active espionage campaigns via those USB sticks. “In North America and Europe, we think this is an old infection vector that’s been locked down,” Leong says. “But there are exposures in this other geography that are being targeted. It’s still relevant, and it’s still being exploited.”