Cyber Incident Victim: Taipei
Date:
Jan 2014
Location:
Taiwan
Summary
A state-sponsored hacking group known as Tropic Trooper deployed USBferry malware to infiltrate air-gapped military networks by exploiting removable USB devices, targeting Taiwanese and Philippine defense entities alongside government institutions, banks, and hospitals. The malware self-replicated across USB storage to traverse isolated environments, exfiltrating sensitive documents when devices reconnected to internet-accessible systems. Attackers strategically compromised peripheral organizations like military hospitals as initial footholds to bypass physical isolation safeguards, enabling lateral movement into secured networks. The campaign focused on stealing defense and marine-related intelligence, demonstrating advanced capabilities to bridge air gaps through compromised supply chains and trusted intermediary systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Tropic Trooper hacking group, also known as KeyBoy, conducted a campaign targeting air-gapped military networks in Taiwan and the Philippines using a malware strain called USBferry. According to Trend Micro, which tracked these attacks from at least 2018, the malware was designed to self-replicate onto removable USB devices like thumb drives and portable storage systems. The infection process began when USBferry compromised a system with weaker security protections, then lay dormant until a USB device was connected. Upon infecting the USB device, the malware waited to be transported to other segments of the victim’s internal network, particularly targeting physically isolated environments disconnected from the internet. Once inside air-gapped networks, USBferry collected sensitive documents stored on the USB device’s internal storage. The malware remained inactive until the infected USB device was reconnected to an internet-enabled system, at which point it exfiltrated the stolen data to Tropic Trooper’s command-and-control servers. Historical analysis traced the earliest USBferry deployments to 2014, with the group consistently focusing on stealing defense and marine-related intelligence from Taiwanese and Philippine entities. Primary targets included military and naval agencies, government institutions, national banks, and military hospitals. Tropic Trooper deliberately selected these organizations as initial entry points, exploiting their connectivity to higher-security networks. For example, Trend Micro documented one incident where attackers moved from a compromised military hospital to the military’s isolated network, bypassing protections like biometric authentication, secure USB protocols, or quarantine machines designed to screen removable media.
Trend Micro’s May 2020 report highlighted that recent USBferry activity concentrated specifically on breaching the Taiwanese and Philippine militaries’ air-gapped systems. The group’s operational strategy acknowledged that core military or government agencies often implemented stringent physical isolation measures, leading them to pivot through peripheral organizations with fewer safeguards. USBferry’s capabilities were detailed in a 36-page technical report that included indicators of compromise, aiding detection efforts. This disclosure marked the third report in a single week describing state-sponsored malware capable of crossing air gaps, alongside ESET’s analysis of the Ramsay malware and Kaspersky’s findings on COMpfun. Collectively, these reports demonstrated a growing emphasis among nation-state actors on developing tools to infiltrate isolated networks. Tropic Trooper’s sustained operations underscored the persistent threat to critical infrastructure reliant on physical segmentation for security, with compromised USB devices serving as clandestine conduits for data theft and lateral movement within restricted environments.