Hackers believed to be operating in the interests of the Chinese government have targeted the air-gapped networks of the Taiwanese and the Philippine military.
Trend Micro says the attacks have been carried out by a group known as Tropic Trooper, also known as KeyBoy.
Attacks involved the use of USBferry, a malware strain that contains a feature allowing it to self-replicate to removable USB devices, such as thumb drives and portable storage systems.
Trend Micro says the point of these attacks was to allow hackers to reach inside air-gapped (isolated, internet-disconnected) networks operated by the Taiwanese and the Philippine militaries, and other targets.
The malware would infect a system with fewer security protections, then wait for a USB device to be connected, infect the device, and wait to be ferried to other parts of a victim’s internal network.
On the new device, USBferry would collect sensitive documents inside the USB device’s internal storage, and wait until it was ferried back to another internet-connected device, where it would send the data back to Tropic Trooper’s command and control servers.
Attacks have been going on for six years
Trend Micro says it’s been tracking attacks with the USBferry malware since 2018, but that older incidents have been traced back to 2014 when Tropic Trooper appears to have deployed the malware for the first time.
Historically, the hacker group has been interested in stealing defense and marine-related intelligence from Taiwan and the Philippines.
The group targeted military and navy agencies, government institutions, national banks, and military hospitals.
Trend Micro said hackers targeted these institutions as initial footholds to jump “the air gap” to adjacent networks, sometimes across government organizations.
“Tropic Trooper is aware that main military or government agencies may have protection strategies in place in physically isolated environments, such as the use of biometrics, secure USB for data transfers, or plugging the USB device into a quarantined machine before using it in a physically isolated environment,” Trend Micro researchers said in a report released on Tuesday.
“Therefore, Tropic Trooper chooses to target related organizations and use them as initial footholds. In this case, we observed how Tropic Trooper actors successfully moved from a military hospital to the military’s physically isolated network.”
Trend Micro said that while Tropic Trooper targeted a broad array of victims in the past, the most recent attacks it detected were against the Taiwanese and the Philippine military’s physically isolated environments.
Growing interest in air-gapped networks
A technical breakdown of the USBferry malware along with indicators of compromise is available in Trend Micro’s 36-page USBferry report.
Trend Micro’s USBferry report is the third report of its kind published this week detailing malware developed by state-sponsored hackers that can jump across the air gap to isolated networks. The other two reports are ESET’s report on the Ramsay malware and Kaspersky’s report on COMpfun.
All three reports show an increased interest from nation-state hacking groups into developing malware capable of breaching air-gapped networks.