IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

FBI warns of hackers mailing malicious USB sticks to businesses

The FIN7 cyber crime group is alleged to be behind the months-long wave of attacks against the defence, transportation, and insurance industries

The Federal Bureau of Investigation (FBI) has alerted US businesses to a rise in cyber attacks being committed via the US postal service, with hackers mailing malicious USB sticks to victims and deceiving them into installing malware on machines.

If the USB stick enclosed in the package sent to victims was plugged into a computer, it would lead to a BadUSB attack whereby the USB device would register itself as a keyboard and execute a number of pre-configured keystrokes on the victim's machine, according to the FBI. 

These keystroke scripts would lead to PowerShell commands being executed and to the download and installation of a variety of malware strains that acted as backdoors to the victims' networks to launch future cyber attacks. Resources the attackers installed included vulnerability-scanning and pentest tools such as Metasploit and Cobalt Strike, as well as BlackMatter and REvil ransomware, among others.

Successful cases have been observed by the FBI in which attackers were able to gain administrator access to machines and then move laterally across the victim's network. 

The FBI said the FIN7 hacking group is behind the waves of attacks on US industries since August 2021 - the same group behind the DarkSide and BlackMatter ransomware campaigns. 

Most recently, FIN7 has been targeting the US defence industry since November 2021 but companies in the transportation and insurance sectors were receiving malicious packages as far back as August 2021.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

The FBI also said the attackers were using the United States Postal Service (USPS) and United Parcel Service (UPS) to deliver the LilyGO-branded USB sticks pre-loaded with malware, and seemingly came from reputable organisations such as Amazon and the US Department of Health and Human Services (HHS).

"Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to US businesses in the transportation, insurance, and defence industries," said the FBI in an alert, as reported by The Record. "The packages were sent using the United States Postal Service and United Parcel Service.

“There are two variations of packages - those imitating HHS are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB."

An ancient attack method

The method of simply plugging in a malicious USB stick into a victim's machine dates back many years and has dubbed various different names in the infosec community during that time. The method may be otherwise known as Rubber Ducky attacks, PoisonTap, USBdriveby, USBharpoon, and BadUSB.

For years, the method has also been used by pentesters with a good degree of success, leveraging human curiosity to see what's on a USB drive they discover by chance. People will often plug a lost, unknown USB stick into their own machine before attempting to return it to its rightful owner - a habit cyber criminals have learned to use to their advantage.

"The use of tangible tools for infection - such as USB sticks, have been and continue to be ever effective, especially in today’s current climate," said Alan Calder, CEO at GRC International Group to IT Pro. "Working from home is now more widespread than a few years ago, and the likelihood of someone receiving a malicious USB stick and plugging it into a PC in an unsupervised setting is much greater.

"Cyber criminals are knowingly using this hybrid working shift to their advantage, which means the need for regular cyber security risk assessments to outline and mitigate these threats has never been greater."

The BadUSB project was first unveiled at Black Hat in 2014 by security researchers at SR Labs, Karsten Nohl and Jakob Lell. The pair showed how the attack method could be used to install malware, as well as steal data and spoof network cards. 

Related Resource

The definitive guide to migrating to the cloud

Migrate apps to the public cloud with multi-cloud infrastructure solutions

Vector clouds against a blue skyFree download

It has since inspired a number of related projects with one hacker applying the principles to a Mac-hacking iPhone lightning cable and dropping them around Def Con in 2019. The malicious iPhone cables allowed attackers to remotely execute commands on a victim's device and were sold for as little as $200 under the radar at the event.

It also isn't the first time FIN7 has made use of the postal system to deliver attacks. In a somewhat similar fashion, FIN7 instead impersonated Best Buy to mail packages with USB sticks to hospitality and retail businesses in March 2020. 

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

Ransomware now strikes one in 40 organisations per week, Check Point finds
ransomware

Ransomware now strikes one in 40 organisations per week, Check Point finds

27 Jul 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022

Most Popular

What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
Windows 10 users locked out of devices by unskippable Microsoft 365 advert
bugs

Windows 10 users locked out of devices by unskippable Microsoft 365 advert

3 Feb 2023