The threats of USB-based attacks to critical infrastructure
At a time when the risks of AI-powered and advanced email cyber threats dominate the news agenda, it can be easy to overlook the dangers of some of the age-old attack vectors that are still being exploited by cybercriminals.
Industries that rely on removable media – such as USB drives – require continued vigilance as these devices have the potential to cause harmful and very costly cyber attacks.
The resurgence of USB-based attacks
USB devices are commonly used in a number of core critical national infrastructure (CNI) sectors, such as manufacturing, utilities and healthcare. These industries rely on USB drives to transfer data in environments with limited or no internet access, such as air-gapped systems that isolate critical assets and data from external networks for security purposes.
In operational technology (OT) environments, USB drives are often the only practical way to transfer data between systems that are intentionally kept offline, making them a common tool for software updates or data migration.
This widespread use makes USB drives a prime target for cyber attacks. A prominent example is the Sogu malware, deployed by the hacker group UNC53, which used infected USB drives to infiltrate multiple organizations last year. This campaign targeted industries in countries such as Egypt and Zimbabwe, where USB drives are an integral part of daily business operations.
Recent USB-based attack techniques have become increasingly sophisticated, often bypassing advanced security layers by exploiting the inherent trust between the USB device and the host.
Long-standing techniques such as “Rubber Ducky” keystroke attacks, which silently copy user activity and send information back to the attacker’s host system, are being deployed in new ways. For example, some Human Interface Devices (HIDs), such as mice and keyboards, can have their firmware modified to inject keystrokes to install covert malware.
A favorite among penetration testers and social engineers who want to trick unwary employees or visiting partners into picking up and inserting an infected USB device.
SVP International at OPSWAT.
Managing removable media presents several challenges, especially in OT-heavy environments.
USB-based attacks bypass traditional network security, allowing attackers to exfiltrate sensitive data or gain long-term access to systems. These attacks are especially dangerous in isolated systems, where the lack of network connectivity can delay detection and increase attacker dwell time.
This makes them a perfect vector for malware infections, data breaches and unauthorized access. Infected USB drives can easily introduce malicious software into systems that are not regularly monitored, leading to potential data loss or operational disruptions. Without strict device and data controls, USB drives can introduce malware or allow unauthorized access to sensitive systems.
One of the key challenges organizations face in addressing these security risks is that they often lack visibility into which people and devices they connect to their systems or how data is transferred, making policy enforcement more challenging.
It’s not just the security risks of malware that are a problem; the theft or loss of unencrypted data on removable media poses a significant risk, especially in highly secure environments.
How to keep malicious data from USB drives out of the system
Mitigating these risks requires a multi-layered approach to security that combines both technical and policy-based solutions. Real-time monitoring of devices is essential; every USB connected to a system should be scanned for malware and suspicious activity, allowing threats to be detected before they compromise the network.
Data cleaning plays a key role in this process. By cleaning files transferred via USB, organizations can remove hidden malware or malicious content so that only safe data enters their network.
For organizations in the CNI sector, a more robust solution could include air-gapped systems combined with a cybersecurity kiosk that scans and cleans all incoming and outgoing media. Cleaning all files with malicious content using Content Disarm and Reconstruction (CDR) techniques and placing them in secure, isolated data vaults. Only cleansed and validated data from these vaults is allowed access to the operational technology networks. These systems ensure that any device entering a secure environment is first cleared of potential threats, adding an extra layer of protection.
Access to controllers and policies are critical
In addition to these technical controls, policies governing the use of removable media are an essential part of a strong defense.
Organizations must implement strict controls that allow USB devices to access critical systems and regulate the types of files that can be transferred to removable media. By restricting access to authorized personnel and approved data, companies can minimize the risk of devices compromising their network. Policies and procedures should require each USB drive to be scanned and its contents cleaned before its data is allowed into organizations. This can be achieved at scale using a dedicated scanning kiosk application.
Training employees and supply chain partners is also critical. The root cause of USB-based attacks often traces back to human error, such as the use of unsecured or unauthorized devices. Extensive training can help limit these risks. Users should be educated about encryption, the dangers of using unknown USB devices, and best practices for safely ejecting devices to prevent data corruption or malware. In high-risk industries, regular audits of how USB drives are used and how security protocols are followed can further strengthen an organization’s defenses.
Keeping USB drives on the cybersecurity agenda
USB devices remain a significant security threat, especially in industries where they are essential for data transfer. Even organizations that don’t routinely use removable media in their workflows need to be aware of the threat they pose.
A comprehensive approach that combines real-time monitoring, device control and data cleaning with strict access policies and user education will cover all aspects and reduce the chance of falling victim to USB threats.
We reviewed the best identity management software.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, you can read more here: