Cyber Incident Victim: United States Military
Date:
Jun 2023
Location:
United States of America
Summary
Service members of the U.S. Military received unsolicited smartwatches through the mail. These devices were found to automatically connect to Wi-Fi and mobile phones, potentially granting senders access to sensitive user data including banking credentials, contacts, and account information. The smartwatches may also contain malware designed to access cameras and microphones for surveillance, or could be part of a brushing scam to post fake positive reviews using the recipient's identity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Service members across the United States military began reporting an incident on or around June 15, 2023, involving the unsolicited receipt of smartwatches through the mail. These packages arrived without any prior order or request from the personnel who received them, marking them as unexpected and potentially suspicious deliveries. The devices themselves, upon being activated or used, exhibited unusual and automated behaviors that immediately raised security concerns. Specifically, the smartwatches were observed to auto-connect to available Wi-Fi networks without user intervention. Following this network connection, the devices then began initiating connections to cell phones that were in proximity, also without any prompt or pairing request from the user. This autonomous action allowed the devices to establish a link with the mobile phones, thereby gaining access to a wide array of personal data stored on those devices.
The primary concern identified by authorities was the potential for these smartwatches to contain malicious software, or malware. This malware, if present, was designed to grant the sender or a remote actor access to the saved data on the connected devices. The scope of data that could be compromised was extensive, including sensitive personal and financial information. Specifically, the malware threatened to access banking information, contact lists, and various account credentials such as usernames and passwords. Beyond data theft, the malware possessed capabilities that posed a more invasive threat. It was assessed that the malicious code could potentially access the microphone and camera functions of the connected devices. This functionality would enable remote actors to monitor conversations and activities, effectively conducting surveillance on the service member and gaining access to any online accounts linked to or accessible through the smartwatch or the phone it connected to.
An additional motive behind the distribution of these devices was identified as a practice known as Brushing. This scheme involves companies, often selling counterfeit goods, mailing unsolicited products to individuals. The sender then uses the recipient's name and address to post a fraudulent positive review of the product, creating a false appearance of legitimacy and popularity to compete with established brands in online marketplaces. While this practice is primarily a form of review fraud, its use in this context provided a potential cover for the more malicious cyber activities, as the arrival of an unexpected package could be mistakenly attributed to a simple shipping error or a marketing scam rather than a targeted threat.
The incident impacted a broad segment of the military community, with reports coming from service members across various branches. The method of distribution via the postal service indicated the actors behind the campaign had access to military addresses, though the specific means by which these addresses were obtained was not detailed in the initial reporting. The potential consequences of a compromised device were significant, ranging from financial fraud and identity theft against the individual service member to the possible exfiltration of sensitive or classified information if the device was used in a secure environment or connected to a phone containing such data. The ability to activate microphones and cameras also raised grave operational security concerns, threatening to expose private conversations and activities within military facilities or homes.
In response to these reports, the U.S. Army Criminal Investigation Division (CID) issued a formal lookout and advisory on June 15, 2023, to inform and warn the military community. The advisory provided clear and direct guidance on the actions required upon receipt of such a device. The primary instruction was a directive not to turn the device on under any circumstances, as activation triggered the automatic connection and data access processes. Service members were instructed to report the incident immediately through designated security channels. The prescribed reporting avenues included contacting their local counterintelligence office, their unit security manager, or by using the official CID "Submit a Tip - Report a Crime" online portal. This coordinated response aimed to contain the threat by preventing the activation of the devices and ensuring that security professionals could collect and analyze the items to understand the full scope of the threat and identify the actors responsible. The distribution of these unsolicited smartwatches represented a direct attempt to compromise the personal devices and data of U.S. military personnel through a deceptive physical delivery method, leveraging curiosity or confusion to induce the target to activate a malicious tool.