Yottabytes: Storage and Disaster Recovery

Jun 30 2018   8:41AM GMT

Secure USBs Used to Hack Airgapped PCs

Sharon Fisher Sharon Fisher Profile: Sharon Fisher


A fairly common theme here has been “Don’t poke strange USB sticks in things,” because it’s a common vector for transmitting malware (and reprogramming your keyboard, and setting your PC on fire). Here’s a new take on that. It’s pretty esoteric but now that the technique is out there, it may become more common.

First, you have to understand the concept of an “air gap.” An air gap is actually a plumbing term and refers to the use of air in the system to keep water from going to places it shouldn’t. The term has been applied in computer security to computers that aren’t hooked up to networks, to keep them more secure. “Air-gapped systems are common practice in many countries for government, military, and defense contractors, as well as other industry verticals,” according to Palo Alto Networks researchers who are writing about this.

Second, there is apparently a South Korean defense company that makes “secure USBs.” Exactly what these are and what makes them secure, I haven’t been able to find out. But they are a thing. At least some secure USBs encrypt the data on them. That may or may not be what this particular South Korean secure USB does.

So apparently the deal is this: Some researchers found evidence that hackers have found a way to put malware on these secure USBs, with the intention of targeting these airgapped, otherwise unreachable PCs.

It gets better. The malware only works if the PCs in question are running Microsoft Windows XP or Windows Server 2003.

The organization likely involved with this malware has a history of spearphishing attacks, or email attacks aimed at particular people. In fact, past versions of the organization’s malware used a Happy New Year program, and recipients were asked to change the extension to .exe so that it would play.

Which raises the question – if an organization is paranoid enough to airgap its PCs, wouldn’t you think they’d be smart enough to keep up on their security patches? Unless it’s a system just too old to update, like the nuclear missiles controlled by 8-inch disks. And that’s what researchers suggest. “Outdated versions of Operating Systems are often used in those environments because of no easy-update solutions without internet connectivity,” they write.

Wouldn’t its employees be smart enough not to open a Happy New Year card that’s obviously a program, even if it appeared to come from someone they know?

Researchers feel that this malware might be very specifically targeted to one particular installation where all of these factors would come into play. “This would seem to indicate an intentional targeting of older, out-of-support versions of Microsoft Windows installed on systems with no internet connectivity,” they write. But basically, they put malware on the old machines that look for the secure USB drives, and if one gets plugged in, it looks for the other malware on it and loads it onto the airgapped system.

Exactly what the malware would do once it got there, researchers don’t know. They also don’t know exactly what PCs or even what organization is being targeted. But now that the technique is out there, we may see it in places other than Korea and Japan.

So, the usual warnings still apply:

  • Don’t poke strange USB sticks in things. Even if they’re supposedly secure.
  • Keep your software updated, including your OS.
  • Don’t open strange files in your email, even if they seem to come from someone you know, particularly if they are obviously programs.
  • And if for some reason you have to look at a strange USB stick, or open a strange file in your email, at least use it away from the supersecure airgapped system, recommends Development Standards Technologies, a software development and consulting company.
  • Development Standards also recommends, like a number of security organizations, that you not just depend on keeping people out, but detecting them should they make it in. “Prevention aside, critical systems should have threat detection controls that can alert where an infected drive has been plugged into an endpoint and take remedial steps beyond raising an alarm, such as isolating an infected machine from the rest of the network,” they write.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: