News Update: The Current Status of USB Thief and Air-Gap Threats
When ESET first discovered the “USB Thief” Trojan, it was considered a highly unusual, niche weapon designed specifically for stealthy data theft on air-gapped, offline systems. Today, that threat has evolved from a rare novelty into a more aggressive and mainstream cyber espionage tactic.
Here is where the threat stands now.
Is the Original USB Thief Still Active?
The exact 2016 version of USB Thief is largely inactive because major security firms successfully mapped its signature. However, its blueprint — specifically DLL side-loading, where malware hides inside portable applications such as Notepad++ or Firefox on a USB drive — became a widely copied framework for state-sponsored hackers.
A Massive Resurgence in USB-Delivered Attacks
Far from being resolved, cybersecurity data shows a dramatic spike in these types of attacks. Global threat intelligence reports, including data from Mandiant and Honeywell, indicate a multi-fold increase in USB-delivered espionage campaigns.
Newer and More Dangerous Variants
Advanced persistent threat groups have replaced the aging USB Thief model with faster and more dangerous variants. The most prevalent modern threats include SOGU, used globally to siphon sensitive intellectual property across manufacturing and government sectors, and SNOWYDRIVE, which creates a persistent backdoor to execute remote commands.
Both threats use the same basic USB-delivery concept that made USB Thief effective in the first place: move the attack through removable media, execute from a trusted-looking portable application, and reach systems that may not be directly connected to the internet.
The Modern Defense
Because these stealthy, portable-application attacks can execute from the drive and bypass standard Windows defenses, cybersecurity agencies increasingly state that traditional antivirus alone is not enough. The stronger defense for corporate, government, and industrial networks has shifted toward strict USB port control at the endpoint, combined with the exclusive use of hardware-encrypted, read-only, or tightly managed removable media.
Data security on the internet is one of the most volatile issues in today’s world. Bug exploits, malicious code, and data-stealing programs created through the constant evolution of web content have led many companies and organizations to remove valuable information from connected systems altogether. A new threat on the hardware front, however, may prove to be a challenge even for this approach to data protection.
A new malware sample, appropriately named “USB Thief,” was discovered by researchers at the award-winning ESET security firm. As its name implies, the malware is completely USB-based, meaning it spreads only through devices connected to a computer via USB ports.
This Trojan has applications in targeted attacks on systems disconnected from the internet, including financial systems such as stock exchanges, military computer networks, and industrial control systems. ESET did not disclose how it discovered USB Thief, but described its most devious characteristic as its ability to avoid detection and resist reverse engineering.
By attaching as a plugin or dynamically linked library (.dll file) within the command chain of typical USB applications, USB Thief can run silently in the background when an application launches, completely unbeknownst to the user. Despite stealing images, documents, many data files, and even copying portions of the Windows registry, the malware leaves no trace on the host system because it exists solely on the USB device.
As human ingenuity creates powerful and helpful technological advancements, it also introduces risks and dangers such as this. One of the most effective ways to avoid data compromise on isolated networks is to use encrypted and write-protected drives. This ensures the information stored on the drive cannot be modified and prevents malicious libraries or programs from being added to media believed to be safe.
Nexcopy is a provider of copy-protected USB drives designed to secure existing data and enforce write protection at the controller level. The company supplies USB security solutions for organizations ranging from large aircraft manufacturers and oil refineries to emergency service training institutions, helping strengthen real-world security efforts.
For more information about their USB software and hardware solutions, including USB duplicators for secure media distribution, visit:
USB Copy Protection
Sources:
Let GetUSB.info keep you updated.
Receive article notifications about USB storage, flash memory, and duplication updates in your preferred language. We average a couple of articles per week.
