Third state-sponsored strain of malware unveiled this week that can cross the air gap and hit isolated networks.
Hackers suspected to be working in the Chinese government’s interest have targeted Taiwanese and Philippine military air-gapped networks.
Trend Micro says that the attacks were carried out by a party called Tropic Trooper, also known as KeyBoy.
Attacks involve the use of USBferry, a malware strain containing a feature that allows removable USB devices such as thumb drives and portable storage systems to replicate themselves.
Trend Micro says the purpose of these attacks was to enable hackers to reach within air-gapped (isolated, internet-disconnected) Taiwanese and Philippine military-operated networks, and other targets.
The malware will infect a server with less security safeguards, then wait to connect to a USB computer, infect the computer and wait to be ferried to other parts of the internal network of a victim.
On the new unit, USBferry would gather confidential documents inside the internal storage of the USB device, and wait until it was ferried back to another internet-connected device, where it would return the data to the command and control servers of Tropic Trooper.
Six years have passed since the attacks
Trend Micro says that since 2018 it has been tracking attacks with the USBferry malware, but that older incidents have been traced back to 2014 when Tropic Trooper appears to have first deployed the malware.
The hacker group has historically been interested in robbing Taiwan and the Philippines of defense and marine-related intelligence.
Military and navy departments, government institutions , national banks, and military hospitals were attacked.
Trend Micro said these entities were targeted by hackers as initial footholds to leap “the air gap” to adjacent networks, sometimes across government organizations.
“Tropic Trooper is aware that major military or government entities might have security measures in place in physically isolated environments, such as the use of biometrics, safe USB for data transmission or plugging the USB device into a quarantined computer before using it in a physically isolated environment,” Trend Micro researchers said in a report published Tuesday.
“Tropic Trooper then prefers to target associated institutions and use them as initial footholds. In this case, we demonstrated how Tropic Trooper actors effectively moved from a military hospital to a physically separated network of the military.”
Trend Micro said that while Tropic Trooper in the past targeted a wide variety of victims, the most recent assaults it found were against the physically isolated populations of the Taiwanese and Philippine military.
Interest in air-gapped networks is increasing
In Trend Micro’s 36-page USBferry report there is a technical overview of the USBferry malware along with vulnerability indicators.
Trend Micro’s USBferry study is the third of its kind released this week describing malware created by state-sponsored hackers that can leap over the air gap into isolated networks. The other two findings are the Ramsay malware report by ESET, and the COMpfun report by Kaspersky.
All three studies indicate growing interest in creating malware from nation-state hacking groups capable of penetrating air-gapped networks.