IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

FBI warns of hackers mailing malicious USB sticks to businesses

The FIN7 cyber crime group is alleged to be behind the months-long wave of attacks against the defence, transportation, and insurance industries

The Federal Bureau of Investigation (FBI) has alerted US businesses to a rise in cyber attacks being committed via the US postal service, with hackers mailing malicious USB sticks to victims and deceiving them into installing malware on machines.

If the USB stick enclosed in the package sent to victims was plugged into a computer, it would lead to a BadUSB attack whereby the USB device would register itself as a keyboard and execute a number of pre-configured keystrokes on the victim's machine, according to the FBI. 

These keystroke scripts would lead to PowerShell commands being executed and to the download and installation of a variety of malware strains that acted as backdoors to the victims' networks to launch future cyber attacks. Resources the attackers installed included vulnerability-scanning and pentest tools such as Metasploit and Cobalt Strike, as well as BlackMatter and REvil ransomware, among others.

Successful cases have been observed by the FBI in which attackers were able to gain administrator access to machines and then move laterally across the victim's network. 

The FBI said the FIN7 hacking group is behind the waves of attacks on US industries since August 2021 - the same group behind the DarkSide and BlackMatter ransomware campaigns. 

Most recently, FIN7 has been targeting the US defence industry since November 2021 but companies in the transportation and insurance sectors were receiving malicious packages as far back as August 2021.

Related Resource

The secure cloud configuration imperative

The central role of cloud security posture management

The secure cloud configuration imperativeFree download

The FBI also said the attackers were using the United States Postal Service (USPS) and United Parcel Service (UPS) to deliver the LilyGO-branded USB sticks pre-loaded with malware, and seemingly came from reputable organisations such as Amazon and the US Department of Health and Human Services (HHS).

"Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to US businesses in the transportation, insurance, and defence industries," said the FBI in an alert, as reported by The Record. "The packages were sent using the United States Postal Service and United Parcel Service.

“There are two variations of packages - those imitating HHS are often accompanied by letters referencing COVID-19 guidelines enclosed with a USB; and those imitating Amazon arrived in a decorative gift box containing a fraudulent thank you letter, counterfeit gift card, and a USB."

An ancient attack method

The method of simply plugging in a malicious USB stick into a victim's machine dates back many years and has dubbed various different names in the infosec community during that time. The method may be otherwise known as Rubber Ducky attacks, PoisonTap, USBdriveby, USBharpoon, and BadUSB.

For years, the method has also been used by pentesters with a good degree of success, leveraging human curiosity to see what's on a USB drive they discover by chance. People will often plug a lost, unknown USB stick into their own machine before attempting to return it to its rightful owner - a habit cyber criminals have learned to use to their advantage.

"The use of tangible tools for infection - such as USB sticks, have been and continue to be ever effective, especially in today’s current climate," said Alan Calder, CEO at GRC International Group to IT Pro. "Working from home is now more widespread than a few years ago, and the likelihood of someone receiving a malicious USB stick and plugging it into a PC in an unsupervised setting is much greater.

"Cyber criminals are knowingly using this hybrid working shift to their advantage, which means the need for regular cyber security risk assessments to outline and mitigate these threats has never been greater."

The BadUSB project was first unveiled at Black Hat in 2014 by security researchers at SR Labs, Karsten Nohl and Jakob Lell. The pair showed how the attack method could be used to install malware, as well as steal data and spoof network cards. 

Related Resource

The definitive guide to migrating to the cloud

Migrate apps to the public cloud with multi-cloud infrastructure solutions

Vector clouds against a blue skyFree download

It has since inspired a number of related projects with one hacker applying the principles to a Mac-hacking iPhone lightning cable and dropping them around Def Con in 2019. The malicious iPhone cables allowed attackers to remotely execute commands on a victim's device and were sold for as little as $200 under the radar at the event.

It also isn't the first time FIN7 has made use of the postal system to deliver attacks. In a somewhat similar fashion, FIN7 instead impersonated Best Buy to mail packages with USB sticks to hospitality and retail businesses in March 2020. 

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
US and Israel join forces to fight ransomware
ransomware

US and Israel join forces to fight ransomware

15 Nov 2021

Most Popular

Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022