As many as 54 USB sticks awarded to cyber security quiz winners by the Taiwanese government were found to contain a malware used to steal personal data from computers.
Taiwan's national police agency said that the malware was injected into 54 USB sticks by an employee who merely wanted to test their storage capacity.
The affected USB sticks were among 250 such sticks awarded by the government to cyber security quiz winners who participated in a programme hosted to highlight the government's cyber security initiatives.
Following the discovery that 54 USB sticks awarded to participants were laden with malware, the Taiwanese national police agency apologised for the error and said that the malware was injected to affected devices by an employee who merely wanted to test their storage capacity.
The government is now contacting the participants in order to recover compromised USB sticks and has so far been able to recover 20 of them. The malware in question is known as XtbSeDuA.exe and was used by cyber criminals in 2015 to steal personal data from 32-bit computers and to transfer such data to an IP address located in Poland.
In the same year, Europol managed to bust criminals behind the operation and systems belonging to the hackers were confiscated. As such, the malware is no longer in use and is not powerful enough to infect 64-bit computers or to evade modern anti-malware software.
'How ironic that successful respondents to a cybersecurity quiz are rewarded with malware by the hosting organisation. This brings the need to secure the supply chain as part of a cyber security strategy into sharp focus,' says Jon Fielding, Managing Director for EMEA at Apricorn.
'Not only that, but specifically for USB connected computer peripherals such as the devices here, organisations must ensure those devices are also securely coded and can’t be corrupted or have their firmware altered to launch cyberattacks, whether it be deliberate or not,' he adds.
A number of security researchers have, over the years, alleged that various forms of computing hardware have been injected with malware by Chinese manufacturers to track individual users and to collect their personal data.
Recently, a leaked memo from the Los Angeles office of the Immigration and Customs Enforcement bureau revealed that Chinese drone manufacturer DJI, a leading manufacturer and seller of private drones in the UK and the United States, was 'providing US critical infrastructure and law enforcement data to the Chinese government'.
It added that DJI drones were also used to monitor “proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction”. Once such data was collected, it was uploaded to a cloud server to which the Chinese government most likely had access.
Even though the USB sticks were manufactured in China, they were infected with malware by an employee of the Taiwanese government, thereby indicating that cyber espionage was not in play in this case. However, like Fielding says, buyers and cyber security agencies must ensure that devices imported from other countries do not contain corruptible software or feature firmware that can be remotely altered.