A cyber-espionage group has been weaponizing presumably secure USB drives to target air-gapped critical systems. The Tick group, discovered by researchers at Palo Alto Networks Unit 42, reportedly targets organizations from Japan and South Korea with custom malware, including Minzen, Datper, Nioupale (aka Daserf), and HomamDownloader.
Though the type of USB drive compromised in the attack was supposed to be certified as secure by the South Korean ITSCC, the Tick group loaded malicious files onto the USBs. The number of drives compromised remains unknown.
“The weaponization of a secure USB drive is an uncommon attack technique and likely done in an effort to spread to air-gapped systems, which are systems that do not connect to the public internet,” Unit 42 wrote. Without possession of a compromised USB drive or access to the malicious file, Unit 42 could not detail all sequences in the attack. Researchers said it is also unclear whether the devices were corrupted through the supply chain or post-manufacturing.
Based on what they have observed, researchers said that the infection process begins with a Trojanized version of legitimate software that starts monitoring storage devices when executed.
"This particular attack bears all the signs of a very specific targeted attack designed to infect particular institutes or machines – not too dissimilar to Stuxnet,” said Javvad Malik, security advocate at AlienVault.
“Employees that work in sensitive organizations that have air-gapped networks should be particularly vigilant against plugging in devices. In some cases, even approved USB drives should be tested in a separate environment prior to being loaded in secure areas.”
In part, the rapid pace of digital transformation enables these types of attacks as air gap is removed and modern ICS networks are connected not only to the larger enterprise but to third parties as well.
“Cyber-criminals across the globe are continually developing their strategies and coding, as well as behavior, to stay ahead of market defense strategies. To attack critical infrastructure, employees are often targeted with tactics to identify vulnerabilities such as weak password storage, unsecured remote access pathways, social engineering campaigns and installing malware on USBs,” said Scott Walker, senior solutions engineer, Bomgar.