Chinese spies have been running an espionage campaign that relies on passing malware from one device to another via a USB drive. The spies named UNC53, are allegedly backed by the Chinese government. UNC53 have managed to infiltrate at least 29 organizations in the world since the start of the year.
This information was revealed by cyber security research firm Mandiant. The 29 organizations are mostly multinationals spread across the world. However, the majority of infections to organization systems appear to originate from Africa.
The malware called Sogu, was traced in Kenya, Tanzania, Ghana, Zimbabwe, Madagascar Egypt, and other countries. The Chinese spies appear to have figured out that global organizations with staff in developing countries still rely on USB drives to share data. It is because of this fact that they revived a hacking method that may appear old-fashioned in the cybersecurity world.
“USB infections are back,” says Mandiant researcher Brendan McKeague. “In today’s globally distributed economy, an organization may be headquartered in Europe, but they have remote workers in regions of the world like Africa. In multiple instances, places like Ghana or Zimbabwe were the infection point for these USB-based intrusions.”
Chinese Spies Hack Government Agencies
Mandiant observation of the USB-hacking campaign has seen it detect new victims as recently as this month. The hackers targeted different industries from consulting, marketing, engineering, construction, mining, education, banking, and pharmaceuticals. In addition, and more concerning the campaign targeted government agencies.
This is another case emphasizing the danger of using your USB Drive on public computers and accessing public Wi-Fi. According to Mandiant, the bulk number of infections had been picked up from a shared computer at an internet café or print shop.
Additionally, it was found that the malware spread even more on publicly accessible internet-access terminals. A common trend was via public internet at African airports.
What USB Malware Sogu Does
Once it infects an internet-connected computer, Sogu begins accepting commands to search the host machine and transfer data to a remote server. Further, it duplicates itself to any other USB drive inserted into the PC to continue its machine-to-machine spread.
In the event Sogu finds itself on an offline computer, it first attempts to turn on the victim’s Wi-Fi adapter. Once the WiFi is on it connects to local networks. However, this may fail hence, the Chinese malware puts stolen data in a folder on the infected USB drive itself. The data is stored there until it’s plugged into an internet-connected machine.
Thereafter, the illegally accessed data is transferred to the command-and-control server managed by the Chinese spies.