The FBI (Federal Bureau of Investigation) warned that a “prolific Eastern European cybercriminal group” has tried to hack U.S. companies in the transportation, defence and insurance sectors by mailing them malicious USB drives. If inserted into a computer, the USB stick could create the opportunity for ransomware attacks or the deployment of other malicious software
According to the FBI, the unnamed companies received a series of fake letters via the US Postal Service and UPS from August to November of last year. The letters impersonated the Department of Health and Human Services, and even Amazon in some cases.
There’s no information on if these recent attempts have managed to compromise the firms they were attacking. But the FBI did pin the group as FIN7—a cybercrime operation that U.S. prosecutors have blamed for billions of dollars in losses to consumers and businesses. They were reported to have stolen over USD 1 billion via various financial-hacking schemes.
In April last year, a “high-level manager” of FIN7, Fedir Hladyr, was even sentenced to 10 years of prison in the U.S. He pleaded guilty to charges that included wire fraud and computer hacking. However, the group can be “difficult to pin down”.
Sure, in theory, we would think that we would never do anything as stupid as sticking an unknown USB stick in our own computers. However, studies have shown that we probably would. Researchers dropped about 300 USB drives around the University of Illinois Urbana-Champaign campus. Out of all the dropped drives, a full 48% were picked up, plugged in and explored.
Sending a USB via snail mail also doesn’t normally get in a cyber investigation. The USB method to hack into a device isn’t new, either. In fact, FIN7 reportedly mailed an organisation in the hospitality sector a USB device and a purported Best Buy gift card in February 2020.
If you’re ever sent a suspicious USB out of nowhere, it’s best that you don’t try to stick it into your computer—even if you are a little curious.