A cyber espionage group known for attacking organizations in Japan and South Korea has targeted USB drives in a likely effort to infect “air gapped” systems, according to new research.
The so-called Tick hacking group has gone after a specific type of USB drive made by an unnamed South Korean defense company, said researchers with cybersecurity company Palo Alto Networks.
The newly revealed malware isn’t part of an active campaign and was likely used in attacks years ago, according to the researchers. Nonetheless, the apparent effort to infiltrate air-gapped systems speaks to the lengths to which advanced hackers will go to reach sensitive infrastructure.
Whereas other malware used by Tick requires an internet connection to reach a command-and-control server, the group’s “SymonLoader” malware needs no such connectivity, according to the researchers. Instead, the malware tries to extract a hidden payload from a plugged-in USB drive – a technique that is “uncommon and hardly reported among other attacks in the wild,” they wrote.
The malware only tries to compromise systems running Microsoft Windows XP or Windows Server 2003, suggesting “an intentional targeting of older, out-of-support versions of Microsoft Windows installed on systems with no internet connectivity,” the researchers added.
The myth that an air gap is a panacea to hacking was punctured by the developers of Stuxnet, the computer worm that destroyed an estimated 1,000 centrifuges at an Iranian enrichment facility beginning in 2009. Air-gapping is now recognized as an important but potentially insufficient measure to protect sensitive assets from advanced hackers.
The research advisory raises questions on how the Tick attack unfolded. Without access to the compromised USB drive and the malicious file likely planted on it, researchers weren’t able to completely reconstruct the attack. They did, however, have “more than enough information” to conclude that the activity they found is very likely malicious.