Part 3: The G20 & DoD Hacks
The cybersecurity firm Kaspersky Labs announced this morning that a team of criminal hackers have stolen an estimated total of $1 billion from over a hundred banks in at least twenty-five different countries (including the U.S.), in what security experts are calling one of the largest bank heists in history. Kaspersky representatives are quoted as saying it is “by far the most successful criminal cyber campaign we have ever seen.” Exactly how the hackers gained access to so many bank networks has yet to be disclosed, but some theorize that spear-phishing emails or unauthorized password sharing are possible causes. Then again, the cause might be the same as that of the two hacks we’ll be discussing in this third and final installment—the 2013 G20 Incident and the Department of Defense (DoD) Worm Infection—both of which were the result of mobile storage devices infected with malware.
2013 G20 Summit: History Repeats Itself
A funny (or, maybe not so funny) side note: China has been accused of doing the exact same thing at the 2012 G20 Summit that Russia is believed to have done in the below case from 2013.
At the 2013 G20 Summit, held near St. Petersburg, Russia, dozens of visiting delegates from across the globe were given goodie bags that contained a bunch of “freebie” gifts from their hosts. Among these gifts were USB sticks (or “thumb drives”), as well as nifty little recharging devices for their cellphones. What at first glance would appear to be a small gesture of friendship and generosity, however, was in actuality a backhanded (though, one must admit, rather brilliant) attempt at spying.
When the President of the European Council (Herman Van Rompuy) became suspicious of the gifts, he ordered the ones that were given to his delegation to be analyzed by the German secret service and members of their intelligence service. The USB drives turned out to be infected with a Remote Access Trojan (RAT) that made them capable of downloading and transmitting data from any computer to which they were connected. The cellphone chargers were also infected, employing spyware that allowed them to capture and transmit data and call activity information from phones while the chargers were in use. An alert was sent out to all G20 delegations, warning them about the devices, and many have since pointed the finger at their Russian hosts.
Russia continues to deny any involvement, of course, and to this day no one knows exactly what or how much sensitive/private data was copied by these infected devices. In fact, many delegates have been quick to say they would never have used the free gifts on their professional use devices in the first place and have done their best to downplay the possibility of a breach in the media. A number of Italian newspapers (such as La Stampa) have reported widely on the incident, however, referring to the infected devices as “a poisoned gift.”
The DoD Worm: Operation Buckshot Yankee
Sometime in late 2007, a Department of Defense operative at a base in the Middle East found a USB thumb drive in the parking lot outside the facility. He probably thought to himself, “Score! Free thumb drive!” He then took the thumb drive inside and, without scanning it for viruses, inserted it into to his work laptop… which was connected to the DoD network.
What the operative didn’t realize was that the USB drive had been left in the parking lot by a foreign intelligence operative (some say from Russia, others blame China or North Korea). On top of that, the device was infected with a nasty little worm known as “agent.btz.” The worm infected the operative’s laptop, and then used its connection to upload itself onto the DoD network. It then spread quietly throughout the network for months, even into classified systems, copying and transmitting top secret defense and intelligence data to an unknown foreign server. By the time the Pentagon figured out they even had a worm (which wasn’t until the fall of 2008), the infection had spread system-wide. It took the U.S. government’s top cyber-experts months to pin down the source of the infection (which had to be an awkward moment for the operative who first inserted that “free thumb drive”), and over a year to completely sanitize their system of the worm, in an effort labeled “Operation Buckshot Yankee.”
This “silent-but-deadly” cyberattack blindsided the U.S. government to such a degree that they completely banned the use of thumb drives (and all similar mobile storage devices) by all personnel from November 2008 to February 2010. This incident also resulted in the creation of the U.S. Cyber Command, tasked with identifying, preventing, and addressing any future cybersecurity threats.
Both of the abovementioned cases, while obviously far more serious than those usually experienced by common users, still demonstrate how USB sticks and other mobile storage devices can pose risks to a network’s security.
Handling USB Drives Safely
The only way to be certain that a USB drive (or other storage device) is clean of viruses or malware is if you take it brand new, out of the box yourself. However, even then, this only applies to a device you purchased yourself from a well-known manufacturer (Verbatim, Lexar, SanDisk, etc.). If you’re thinking about saving a few bucks by purchasing a cheaper $5.00 USB stick from a Chinese or generic vendor on eBay or Amazon, you may want to think again. There is no telling what could be on that thing. In recent years, a shocking number of electronic devices coming out of China have turned out to be infected with malware (we’re talking about everything from USB drives to high-tech toys to e-cigarettes).
Any USB drive (or other storage device) that comes to you secondhand, or has ever been used by anyone but you, should be immediately scanned using a well-vetted antivirus software before use. But it is important to remember that some of the RATs and other malware delivered through such devices are often designed to take advantage of a computer’s “autorun” feature. This means they begin uploading as soon as the device is connected, which also means that even scanning the device may not totally prevent the malware from infecting your computer. To avoid this, you should disable the autorun function on your computer (if present/enabled) before connecting any unfamiliar, secondhand, or questionable storage device to it. This way you can scan the thing for infections before it has a chance to upload anything nasty to your system without your knowledge.
So… here’s the takeaway when it comes to dealing with USB sticks and mobile storage devices:
- Never assume that any secondhand devices, including “free” ones given out for promotional purposes, are clean of malware and safe to use.
- Disable the autorun function on your computer before inserting any unfamiliar, secondhand, or otherwise questionable storage device to it.
- Any unfamiliar, secondhand, or otherwise questionable storage devices should be scanned with a well-vetted antivirus software before use.
Just remember that common sense is your best friend when it comes to keeping your network secure, and a little well-placed vigilance will always serve you far better than blind paranoia. And, of course, trust your instincts. If something seems odd, check it out and take steps to get in front of the situation before it becomes a serious problem.
Thank you for following this three-part blog series! Hopefully, these articles will empower you to take charge of your office’s cybersecurity, and implement new policies that will help both you and your staff to keep everyone’s data and PHI safe from hackers, phishers, data traders, and identity thieves.