WASHINGTON – Cybersecurity experts are scratching their heads over the Secret Service investigation into the thumb drive infected with malicious software that was carried by a Chinese citizen arrested at Mar-a-Lago.
A law enforcement source said in an interview that investigation was conducted according to protocol: A Secret Service agent loaded the drive onto a stand-alone computer that was segregated from government networks and watched as it did what malware is supposed to do — infect files and try to steal information.
But testimony from Secret Service agent Samuel Ivanovich, who described the same testing in a court hearing Monday, sure made it sound like someone goofed.
“Ivanovich . . . testified that when the thumb drive they recovered from [Yujing] Zhang at the club was inserted into another agent’s computer ‘a file immediately began to install itself,’ ” The Washington Post reported. “The agent, Ivanovich said, had never seen that happen before.”
“He knew it was something out of the ordinary,” Ivanovich said of the other agent. “He had to immediately stop his analysis and shut down his computer in order to stop it.”
It’s that final line about that had cybersecurity experts worried.
“In a lab, you want that malicious behavior to happen to its full level of badness so you can study how it operates,” Jake Williams, founder of the cybersecurity company Rendition Infosec, told me. “If he yanked the USB drive out to prevent further contamination, that’s highly indicative this wasn’t in a lab.”
Specialized labs for testing malware typically mimic all the things in a regular computer network that malware might manipulate – but they don’t contain any useful information that could be stolen or corrupted. And they’re “air gapped” from the Internet, so there shouldn’t be any concern about the malware spreading somewhere and doing harm.
The Secret Service declined to comment about the disconnect between the agent’s actions and what cybersecurity experts described as standard procedure when investigating malware, citing the ongoing investigation.
Williams, who previously worked for the National Security Agency, said he couldn’t think of a situation in which a trained malware analyst would stop an investigation part of the way through – and he wouldn’t expect someone who wasn’t a trained malware analyst to have access to the proper testing environment.
Cybersecurity experts were quick to pounce on Ivanovich’s testimony — and the seeming error.
“This is international cybersecurity warfare and they just stepped on a land mine,” Joe Hall, chief technologist at the Center for Democracy and Technology think tank, said. “Hopefully that laptop had very little information on it.”
Lesley Carhart, principal threat hunter at the cybersecurity firm Dragos, succinctly summed up the mood of information security expertsm, tweeted April 8: “I didn’t really expect secret service field officers to have forensics capability, but I did expect a ‘no USB’ policy.”
Cryptography expert and Georgetown University Professor Matt Blaze was intrigued that the malware made itself known so quickly – maybe suggesting it wasn’t very good.
“I wonder how they noticed what it was doing. I’d have thought the set of people careless enough to insert suspect USB sticks into computers yet vigilant enough to notice something subtly amiss would be close to empty. Maybe this was crappy malware that trigged popup alerts?” he tweeted April 8.
Carhart also noted that even highly skilled malware analysts have screwed up and infected things they shouldn’t have. “Half the malware analysts I know have infected their host machine by screwing up VMware USB settings. The other half are liars,” she tweeted April 8.
The arrest has sparked broad concerns about security at Mar-a-Lago, which, unlike previous presidential retreats, is frequented by numerous people beyond the president and his guests.
In addition to the malware-infected thumb drive, Zhang was carrying four cellphones, a laptop and an external hard drive, according to the initial criminal complaint.
“A subsequent search of Zhang’s hotel room turned up more that alarmed investigators: nine thumb drives, five SIM cards for cellphones, about $8,000 in cash, several credit and debit cards, and a device used to detect hidden cameras, officials said,” according to my colleagues Lori and Devlin.
There’s no firm evidence yet that Zhang was working on behalf of the Chinese government or another nation’s intelligence service, but the plethora of digital hardware is enough to give any information security analyst heartburn – especially because Trump has a history of discussing sensitive information in open-air portions of the resort.
Lawmakers are taking notice, too.
Senate Minority Leader Chuck Schumer, N.Y., demanded Monday that Secret Service Director Randolph “Tex” Alles, whose departure was announced Monday, testify before Congress about the incident.
The Secret Service noted in a statement shortly after Zhang’s March 30 arrest that “club management determines which members and guests are granted access to the property” although “this access does not afford an individual proximity to the President or other Secret Service protectees.”