Russia spied on G20 leaders with USB sticks given as gifts..why didn't we think of that?

Not to be left out in the cold as far as who can be the best spy, it seems the Telegraph in the UK has released a story about how Russia 'gifted' USB flash drives that were then used to spy on the recipients. They even went so far as to giving charging cables that were also used to garner information from cell phones if used.

Now, this would be a rookie mistake to use this as a diplomat as pointed out in the article so is this a planted story from the West to draw attention away from the NSA and the POTUS spying nightmare from our friends across the water or was this deliberately done?

Link

Russia spied on foreign powers at last month’s G20 summit by giving delegations USB pen drives capable of downloading sensitive information from laptops, it was claimed today.
The devices were given to foreign delegates, including heads of state, at the summit near St Petersburg, according to reports in two Italian newspapers, La Stampa and Corriere della Sera.
Downing Street said David Cameron was not given one of the USB sticks said to have contained a Trojan horse programme, but did not rule out the possibility that officials in the British delegation had received them.
The Prime Minister's official spokesman said: "My understanding is that the Prime Minister didn't receive a USB drive because I think they were a gift for delegates, not for leaders."
Asked if Downing Street staff were given the USBs, he said: "I believe they were part of the gifts for delegates."

If Russia did do this at the G20 summit you have to admire them for the trick.Russia is denying that this occurred...

Dmitry Peskov, Vladimir Putin's spokesman, flatly denied the allegations, describing the Italian stories as a poorly disguised effort to divert attention from reports of US intelligence services spying on Angela Merkel and other European allies.
"These are really funny reports, actually. First of all they have no sources. It is a bold attempt to switch attention from very real problems existing between European capitals and Washington. It is a classic example of that," he told the Telegraph on Tuesday.

Well, I guess if Downing Street is simply clarifying who may have gotten them vs. who didn't? They pretty well confirmed it happened. At least that USB's were given out? Clever I suppose. If people will fall for it, I suppose it's hard to fault the Russians for exploiting it. Heck, that took guts to do, but then, that's probably why it would work, too. Who'd think they'd really do it? lol...

Oh the games of international spying. Such entertainment to watch once in awhile.

reply to post by matafuchs


Yeah...as always, its just another diversionary tactic. The NSA has been caught with their pants down, over and over...this is just a way to distract from all that.

Though, I have to be honest...even if it were true, nobody would really care about G20 being spied on.

matafuchs
how Russia 'gifted' USB flash drives that were then used to spy on the recipients.

Now, this would be a rookie mistake to use this

Very much an idiot mistake to use a USB drive that you cant be sure hasnt been tampered with.
In the old days the "bad guys" would leave floppy disks lying around for the suspect idiot to pick up and use, but USB drives are even easier to make into a weapon for breaking security.

I recall reading a few years ago how a company asked for an external consultant to attempt to break into their network. A few USB drives lying about in the carpark where the smokers hung out was all that was needed. The company employees picked them up, plugged them back at their desks, and security was cracked wide open.

Falling for the oldest trick in the book.

Here is another random example:

So the attacker went into the cafeteria and ate, but he also did what he called "USB key drops". That means, he dropped USB sticks with names like ’Payroll’ or ’Strategy 2009 ’ throughout the entire cafeteria. The USBs had rootkits on them and many contained an autorun rootkit...

I doubt the recipients would have been that stupid. They probably politely accepted them and then just never used them or chucked them away.

alfa1

matafuchs
how Russia 'gifted' USB flash drives that were then used to spy on the recipients.

Now, this would be a rookie mistake to use this

Very much an idiot mistake to use a USB drive that you cant be sure hasnt been tampered with.
In the old days the "bad guys" would leave floppy disks lying around for the suspect idiot to pick up and use, but USB drives are even easier to make into a weapon for breaking security.

I recall reading a few years ago how a company asked for an external consultant to attempt to break into their network. A few USB drives lying about in the carpark where the smokers hung out was all that was needed. The company employees picked them up, plugged them back at their desks, and security was cracked wide open.

Falling for the oldest trick in the book.

Here is another random example:

So the attacker went into the cafeteria and ate, but he also did what he called "USB key drops". That means, he dropped USB sticks with names like ’Payroll’ or ’Strategy 2009 ’ throughout the entire cafeteria. The USBs had rootkits on them and many contained an autorun rootkit...

edit on 30-10-2013 by alfa1 because: (no reason given)

LOL....funny you mention that and not sure if you read it from me here on ATS or about the company I worked for at the time...ISS.

We were hired to check information security for a company (very large and un-named for NDA purposes). I took a page out of the book from a well known hacker from early computing days who left floppy disks in the bathroom of different businesses with the words "company salaries" written on the label....who in a company doesn't want to know what others make. They put it in, run the file and voila, backdoor opens up.

We did the EXACT same thing on a USB stick with a file labeled HR - salary report on the drive (backdoor with fake report) and dumped 50 of them in the parking lot outside the building. 43 of them were opened on office PC's. It will amaze people how easily IT security can be duped....it is called the human factor. This was back in 2007 when we ran the test, but can't remember when I posted about it here.

Kryyptyk
reply to post by matafuchs

 

Yeah...as always, its just another diversionary tactic. The NSA has been caught with their pants down, over and over...this is just a way to distract from all that.

Though, I have to be honest...even if it were true, nobody would really care about G20 being spied on.

By the same token, the NSA scandal shouldnt distract from the spying others do and the tricks they pull, like the Europeans saying they dont spy on their own citizens and then the Germans asking the british to hand over data they collected on Germans and vice versa.

alfa1
Very much an idiot mistake to use a USB drive that you cant be sure hasnt been tampered with.
In the old days the "bad guys" would leave floppy disks lying around for the suspect idiot to pick up and use, but USB drives are even easier to make into a weapon for breaking security.

It is common practice to use gifts for spying. The famous Trojan horse is one of the oldest example for using this technique

Today it is much easier to do such attacks as 99% out there don't know what is possible with todays hardware. Have you ever played around with the firmware of your printer, router or switch? Most people even don't know that the printers or routers firmware can easily be flashed with another version.

You just have to buy a common router, upload a 'better' firmware to it that looks/feels the same as the original and sell the device on ..Bay for a low price. You will have a good change that the buyer don't check the firmware and flash it with the current firmware from the manufacturer. If they are just happy to get a new device for a low price you have a backdoor in that router or whatever you programmed into that new firmware

So never use a gift or something bought from such a place without checking it. And always check the firmware and even if it is current flash a firmware downloaded from the manufacturers site to be sure there isn't hiding a spy in your device.

reply to post by Kram09


The smart thing to do would have been to hand the usb stick to a friendly it expert, discover their spyware immediately and then find a way to use their usb trickery to feed them false information.

reply to post by Wrabbit2000


I don't think it was particularly clever. It just illustrates the lack to tech savvy amongst G20 leaders and their minions. You should always check these gifts for malware and I am suprised the intelligence services of the other 19 nations allowed leaders to use these drives and plug them into their laptops.

Meanwhile MI5 set up an "Internet Cafe" at a recent G8 meeting in the UK. You can guess why.

reply to post by matafuchs


yeah right.
thats the oldest trick in the book.
IT Security companies made folks aware of this years ago.

a Chinese agency I believed dressed up a handful of people in volunteer / donation collector uniforms and put them in the carpark of a corporate entity in the morning before 9am.

idea being, who ever donated to x charity received a free thumb drive.

many people gave, many people received and many people plugged them in at their desk only minutes later.

oldest trick in the book. I doubt they fell for it.

Attachment to any .MIL network or a .MIL machines ports (especially USB) with other than authorized hardware is immediately detected and you will quickly have visitors.

Been like this for years. They know.

Agit8dChop
reply to post by matafuchs

 

oldest trick in the book. I doubt they fell for it.

People still fall for it.

I work for one of the major call centers in the US. (Name withheld, as posting about company events without permission is cause of for termination.)

As part of my job at said call center, I did customer support for one of the major mobile credit card processors. As such, I had access to tens of thousands of credit card numbers, expiration dates, addresses, SS numbers, credit reports, etc. Basically an identity thief's wet dream. As such, our security was tight. Fingerprint scanners, clean desk policy, electronic devices forbidden in the building, cell phone jammers. Hell, we couldn't even have writing utensils and paper, nor could we send or receive email, and have to take a two week security training course about this type of thing.

Early on into the program, the company who we were handling calls for brought in some of their security specialists to test our security, to make sure it was up to snuff. We passed all of their tests with flying colors. All except the last test. One of their people left a couple of flash drives in the parking lot, and in nearby stores. Someone actually picked one up and plugged it into their workstation. This was back in January. Cost him his job, and nearly cost my company a multimillion dollar contract.

Long story short, it still happens, and by people who should know better.