On Sunday, March 30, U.S. Secret Service agents apprehended a 28-year-old Chinese woman by the name of Yujing Zhang attempting to sneak onto President Donald Trump’s Mar-a-Lago resort in Florida.
On Zhang’s person at the time were four cell phones, a laptop, an external hard drive and one thumb drive, the contents of which were virulent enough to nearly corrupt the computer of the trained data forensics analyst asked to examine it.
Secret Service Agent Samuel Ivanovich, who arrested Zhang, testified in a hearing Monday that the drive immediately began installing malware on the analyst’s machine after he began an examination.
“He had to immediately stop the analysis and shut off his computer to halt the corruption,” Mr. Ivanovich said, calling the incident “very out of the ordinary.”
As for how extraordinary that might have been, a spokesperson for the Secret Service was unable to comment on the specifics of this case ― so we can’t definitively say what happened ― but he assured HuffPost basic security protocols were followed.
Contrary to speculation on the internet surrounding the incident, the Secret Service said a data forensics agent would never just pick up a thumb drive and plug it into a laptop.
Instead of plugging the USB drive directly into a computer, protocol calls for creating an image of the drive, replicating its contents in a structure that can be more safely examined, the spokesperson said. Under no circumstance should an examination take place on a computer connected to a network, which could put the entire network at risk, he added.
But that assurance isn’t enough for experts, who say the Secret Service’s story doesn’t quite add up.
Sometimes an analyst will deliberately infect a sacrificial computer just to see how the malware operates, but that’s not what happened here. While the agent’s computer may have unintentionally become such a sacrificial machine, it wasn’t deliberate.
And it’s worrisome the analyst had to abruptly shut down the examination halfway through, which indicates perhaps the circumstances of the analysis weren’t exactly up to snuff.
“In a lab, you want that malicious behavior to happen to its full level of badness so you can study how it operates,” Jake Williams, founder of the cybersecurity company Rendition Infosec, told the Washington Post. “If he yanked the USB drive out to prevent further contamination, that’s highly indicative this wasn’t in a lab.”
A USB drive that has not been in your control should be treated like unattended luggage at the airport: probably full of someone’s boring laundry, but potentially containing a dangerous surprise.
(As an aside: Instead of using a malware-infected USB drive, a pro could break into Mar-a-Lago’s wifi network via a boat parked just offshore with shocking ease, a joint investigation by Gizmodo and ProPublica found in 2016.)
As for what did happen, that’s a little harder to say without knowing the particulars, especially since analysis of the malware-laden thumb drive is still ongoing.
Regardless, it does serve as yet another cautionary tale for anyone tempted to hang onto a USB drive with unknown origins.
“Physical media like USB drives are a well-known method for delivering malware, used in both highly targeted and indiscriminate attacks,” said Greg Pollock, VP of Product, BreachSight at UpGuard, a cybersecurity company.
“A USB drive that has not been in your control should be treated like unattended luggage at the airport: probably full of someone’s boring laundry, but potentially containing a dangerous surprise.”