Cyber Incident Victim: Armed Forces of the Philippines
Date:
May 2020
Location:
Philippines
Summary
A cyberespionage group known as Tropic Trooper deployed USBferry malware to compromise air-gapped military networks by exploiting removable storage devices. The malware self-replicated across USB drives to infiltrate physically isolated systems, exfiltrating sensitive documents when devices returned to internet-connected environments. The attackers initially targeted peripheral organizations like military hospitals and government agencies as entry points to bridge security gaps, ultimately accessing the Philippine and Taiwanese militaries' secured networks. The operation aimed to steal defense and marine-related intelligence, leveraging long-standing tactics to bypass protections such as biometric authentication and USB quarantine protocols. This incident reflects a broader trend of state-sponsored actors developing advanced capabilities to breach isolated infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involved a cyberespionage campaign by the threat actor Tropic Trooper (also known as KeyBoy) targeting the air-gapped networks of the Philippine and Taiwanese militaries, among other entities. Trend Micro disclosed the attacks on May 15, 2020, though activity involving the USBferry malware had been tracked since 2018, with evidence linking initial deployments to 2014. The attackers used USBferry, a self-replicating malware designed to propagate via removable USB storage devices. The malware would first infect internet-connected systems with weaker security protocols, then lie dormant until a USB device was inserted. Upon detecting a USB connection, USBferry would copy itself onto the device and await transportation to isolated networks. Once inside air-gapped environments—physically segregated from the internet—the malware harvested sensitive documents stored on infected USB drives. It then remained inactive until the USB device was reconnected to an internet-enabled system, at which point it exfiltrated stolen data to Tropic Trooper’s command-and-control servers.
Tropic Trooper specifically targeted military and naval agencies, government institutions, national banks, and military hospitals in Taiwan and the Philippines, focusing on stealing defense and marine-related intelligence. The group deliberately selected peripheral organizations like military hospitals as initial entry points, recognizing these might have less stringent protections than core military networks. Trend Micro documented one instance where attackers successfully pivoted from a compromised military hospital network to the military’s isolated infrastructure. The campaign exploited trust in USB-based data transfers, bypassing security measures such as biometric authentication, secure USB protocols, or quarantine procedures for external devices. While the full scope of data exfiltrated from Philippine military networks was not publicly quantified, the breach demonstrated a persistent effort to circumvent air-gap defenses. Trend Micro published technical indicators of compromise and a detailed analysis of USBferry’s capabilities but did not report specific containment or remediation actions taken by the affected militaries. The disclosure coincided with similar findings by ESET (Ramsay malware) and Kaspersky (COMpfun), highlighting a broader trend of state-sponsored actors developing tools to infiltrate isolated networks.