In a surprising turn of events, the use of removable media, particularly USB devices, has resurged as a favoured tactic among industrial cyber attackers. Honeywell's recently released "2024 USB Threat Report" sheds light on this concerning trend, emphasizing its prevalence within Operational Technology (OT) networks.
The report reveals a clear shift in the strategies employed by threat actors, who are now bypassing sophisticated exploitation techniques and zero-day vulnerabilities in favour of leveraging old tools and bugs. Rather than relying on novel malware, attackers are exploiting the inherent capabilities of OT control systems to gain a foothold in industrial networks.
This resurgence of USB-based attacks underscores the critical importance of robust cybersecurity measures within industrial environments. With threat actors exploiting vulnerabilities that may have been overlooked or underestimated, organizations must remain vigilant and implement comprehensive defense strategies to safeguard their OT infrastructure.
Let's Understand Why USBs?
USBs possess a unique advantage that sets them apart from even the most cutting-edge attack methods: the ability to breach air gaps. In high-risk industries like nuclear, military, and finance, air gaps act as physical barriers between Operational Technology (OT) and Information Technology (IT) networks, ensuring no malicious activity can cross over.
Matt Wiseman, director of OT product marketing at OPSWAT, elaborates, "Many operational facilities maintain strict air gaps. Traditional network-based attacks, such as those via email, are ineffective when OT systems are isolated from the internet. To breach such defenses, you need unconventional tactics. USBs and removable media are particularly intriguing because they're the only threat that can be carried across the air gap in your pocket."
Additionally, in a recent report released by Mandiant, alarming details have emerged regarding two separate USB-delivered malware campaigns observed in the current year. The first campaign, dubbed 'Sogu,' has been attributed to the Chinese espionage threat group 'TEMP.HEX.'
Meanwhile, the second campaign, named 'Snowydrive,' has been linked to UNC4698 and specifically targets oil and gas firms in Asia.
Notably, Mandiant's report also references a prior incident in November 2022, where a China-nexus campaign utilized USB devices to infect entities in the Philippines with four distinct malware families. This earlier discovery serves as a precedent, highlighting the recurrence of similar tactics by cyber threat groups with geopolitical motivations.
