Chinese Espionage Group UNC53 Revives Thumb Drive-Based Hacking, Infects Dozens of Networks

A China-linked hacker group known as UNC53 has exploited the continued use of USB drives in global organizations, targeting at least 29 entities worldwide over the past year.

These attacks have primarily targeted multinational organizations with operations in developing countries, particularly in Africa. The group’s malware, known as Sogu, has been spread via USB drives, infecting computers in a data dragnet. This method is a revival of thumb drive-based hacking, which had largely been replaced by more modern techniques like phishing and software vulnerability exploitation.

The campaign has affected various sectors, including government agencies, and is believed to help cast a wide net for espionage purposes, with a focus on Africa due to China’s strategic interests in the region. UNC53 appears to cast a wide net to sort through victims for specific high-value targets, and they likely have significant human resources to analyze stolen data for useful intelligence.

The malware uses clever tricks to infect and steal data from machines, even those air-gapped from the internet, and spreads via USB drives. This USB-based espionage approach is reminiscent of earlier malware like Flame and Agent.btz.