Cyber Incident Victim: Taiwan
Date:
Jan 2014
Location:
Taiwan
Summary
A state-sponsored hacking group known as Tropic Trooper deployed USBferry malware to infiltrate air-gapped military networks by exploiting removable storage devices. The malware self-replicated via USB drives, collected sensitive documents from isolated systems, and exfiltrated data once devices were reconnected to internet-enabled networks. The attackers targeted military hospitals, government agencies, and financial institutions as initial entry points to bridge air-gapped environments, focusing on defense and marine intelligence theft. The campaign demonstrated advanced tactics to bypass physical isolation safeguards, including biometric security and quarantined machines, enabling lateral movement across government networks. The operation highlighted persistent efforts to compromise physically segregated infrastructure through supply chain vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Tropic Trooper cyberespionage group, also known as KeyBoy, conducted a multi-year campaign targeting air-gapped military networks in Taiwan and the Philippines using a custom malware strain called USBferry. According to Trend Micro researchers who tracked these operations since 2018, the earliest incidents involving USBferry date back to 2014. The malware was designed to propagate via removable USB storage devices, exploiting physical media to bridge isolated networks disconnected from the internet. USBferry would initially infect internet-connected systems with weaker security protections, then lie dormant until a USB device was inserted. It would then copy itself onto the removable drive and await transportation to other networked devices, including those within physically segregated environments. Once inside air-gapped networks, the malware harvested sensitive documents stored on infected USB devices and waited for the drive to be reconnected to an internet-enabled system. At that point, it exfiltrated stolen data—primarily defense and marine-related intelligence—to command-and-control servers operated by the attackers.
Tropic Trooper deliberately targeted peripheral organizations like military hospitals, national banks, and government institutions as initial access points, recognizing that core military or government agencies often implemented stricter USB usage policies such as biometric authentication, secure USB protocols, or quarantine procedures. This strategy allowed the group to pivot from compromised third-party networks into adjacent air-gapped military systems. Trend Micro documented one instance where attackers successfully moved from a Taiwanese military hospital to the military’s isolated network. The campaign focused on Taiwanese and Philippine military, navy, and associated government entities, with recent attacks specifically targeting their physically isolated environments. While Trend Micro’s 36-page technical report detailed USBferry’s capabilities and provided indicators of compromise, the article did not specify remediation actions taken by victim organizations. The disclosure formed part of a broader trend of state-sponsored groups developing air-gap-jumping malware, coinciding with separate reports on the Ramsay and COMpfun strains by ESET and Kaspersky, respectively.