For much of the cybersecurity industry, malware spread via USB drives represents the quaint hacker threat of the past decade—or the one before that. But a group of China-backed spies appears to have figured out that global organizations with staff in developing countries still keep one foot in the technological past, where thumb drives are passed around like business cards and internet cafés are far from extinct. Over the past year, those espionage-focused hackers have exploited this geographic time warp to bring retro USB malware back to dozens of victims’ networks.
At the mWise security conference today, researchers from cybersecurity firm Mandiant revealed that a China-linked hacker group they’re calling UNC53 has managed to hack at least 29 organizations around the world since the beginning of last year using the old-school approach of tricking their staff into plugging malware-infected USB drives into computers on their networks. While those victims span the United States, Europe, and Asia, Mandiant says many of the infections appear to originate from multinational organizations’ Africa-based operations, in countries including Egypt, Zimbabwe, Tanzania, Kenya, Ghana, and Madagascar. In some cases, the malware—in fact, several variants of a more than decade-old strain known as Sogu—appears to have traveled via USB stick from shared computers in print shops and internet cafés, indiscriminately infecting computers in a widespread data dragnet.
Mandiant researchers say the campaign represents a surprisingly effective revival of thumb drive-based hacking that has largely been replaced by more modern techniques, like phishing and remote exploitation of software vulnerabilities. “USB infections are back,” says Mandiant researcher Brendan McKeague. “In today’s globally distributed economy, an organization may be headquartered in Europe, but they have remote workers in regions of the world like Africa. In multiple instances, places like Ghana or Zimbabwe were the infection point for these USB-based intrusions.”
The malware Mandiant found, known as Sogu or sometimes Korplug or PlugX, has been used in non-USB forms by a broad array of largely China-based hacking groups for well over a decade. The remote-access trojan showed up, for instance, in China’s notorious breach of the US Office of Personnel Management in 2015, and the Cybersecurity and Infrastructure Security Agency warned about it being used again in a broad espionage campaign in 2017. But in January of 2022, Mandiant began to see new versions of the trojan repeatedly showing up in incident response investigations, and each time it traced those breaches to Sogu-infected USB thumb drives.
Since then, Mandiant has watched that USB-hacking campaign ramp up and infect new victims as recently as this month, stretching across consulting, marketing, engineering, construction, mining, education, banking, and pharmaceuticals, as well as government agencies. Mandiant found that in many cases the infection had been picked up from a shared computer at an internet café or print shop, spreading from machines like a publicly accessible internet-access terminal at the Robert Mugabe Airport in Harare, Zimbabwe. “That’s an interesting case if UNC53’s intended infection point is a place where people are traveling regionally throughout Africa or even possibly spreading this infection internationally outside of Africa,” says Mandiant researcher Ray Leong.
Leong notes that Mandiant couldn’t determine whether any such location was an intentional infection point or “just another stop along the way as this campaign was propagating throughout a particular region.” It also wasn’t entirely clear whether the hackers sought to use their access to a multinational’s operations in Africa to target the company’s European or US operations. In some cases at least, it appeared that the spies were focused on the African operations themselves, given China’s strategic and economic interest in the continent.