USB drive bombs bring focus back on securing the back door of companies against ‘phygital attacks’

“A phygital attack occurs when a device, such as a USB stick or micro-computer, is used to launch a cyberattack and utilises a physical point of entry. In this instance, a digital device was used to conceal a physical threat, but just as easily, it could have been the source of a cyberattack,” explains Will Plummer, a 25-year veteran of the US Army who is currently the Chief Security Officer for next-generation mail screening technology provider, RaySecur. 

During his stint in the US Army, Plummer was awarded the Bronze Star with Valor as a Master Explosive Ordnance Disposal (EOD) Technician, and he commanded multiple Special Operations units with several combat deployments.

Why such threats are on the rise

Plummer says as the world continues to transition to digital platforms, everyone becomes increasingly vulnerable to such “phygital threats”. “We have observed an increase in threats during times of significant political tension”. He reminds us of how in the US Dr Anthony Fauci received a white powder threat on his desk during the pandemic and corporations like Bud Light, Disney, and Facebook have been targeted due to their political stances, involvement in controversies, or in the wake of massive layoffs.

“Letter bombs are a well-recognised and long-used method for malicious actors to spread fear, disruption, and harm. Yet, these were unusual in that they were disguised as seemingly harmless USB drives,” he says, adding that whenever a new attack vector or method is publicised, those bearing a grudge see a fresh avenue to act upon it.

Plummer recommends that organisations begin by securing the back door. “They’re already protecting the front door with security cameras and personnel, but the mailroom, metaphorically referred to as the ‘back door’, is often overlooked or poorly managed,” he says, adding that companies should start by screening all mail or packages entering the organisation, using standard screening guidelines such as those suggested by the United States Postal Service or the United Kingdom’s PAS:97-2021 standards.

“Additionally, avoid letting mail linger in the mailroom. If your mail is situated anywhere near your servers and a phygital hacking device is concealed in one of those packages, it could collect vast amounts of information over your Wi-Fi network before you even know it’s present,” he explains, underlining the need to process mail promptly.

The need for thorough vetting

“Moreover, manually inspecting every piece of mail places employees and staff at a significant risk of exposure to potentially dangerous substances or even bomb threats. Instead, consider implementing a T-ray scanner. Unlike X-ray machines, T-ray scanners don’t require advanced training, certifications, or operating licenses. These scanners can be as small as a desktop printer, they’re easy to use, and they enable screeners to see a live video of the contents of packages and envelopes. This can help detect even tiny amounts of liquids and powders (300x more sensitive than static 2D X-ray images) or electronics such as a USB drive, without opening the mail or putting anyone at risk.”

“Data security is at the greatest risk,” reminds Plummer. “If a phygital device sits in your mailroom for weeks or even months and it gains access to your network, there’s no telling how much information it could collect. Even if you subsequently return the package to the sender due to an incorrect address, the sender could potentially exploit that information for malicious purposes.”

Plus, there is the threat of ransomware attacks. “If the device gains access to your network or someone inadvertently installs ransomware on your servers by plugging in a USB, you could find a significant amount of your proprietary information suddenly encrypted and inaccessible. You would then either have to pay to regain access to your data, or accept the data loss and the resultant disruption,” he adds.

In India, 73 per cent of organisations reported ransomware attacks in 2022, and approximately half of these had to make substantial payouts averaging over $7 million dollars to retrieve their data.

The five pillars of mail screening strategy

Plummer suggest a five-pillar mail screening strategy. “The first is people. Analyse your current internal security team and the tools you have in-house, then figure out how to supplement that team with the right external support resources. The next pillar is standardised procedures. Develop systematic and scalable processes and procedures for your entire organisation to follow in the event that screeners discover a potential threat. Thirdly, educate your employees to reinforce and execute those incident response plans, updating your training as necessary when there are changes in the threat landscape. Fourthly, gain access to advanced screening technologies that are simple and easy to use and can detect all the substances you might encounter in the mailroom. Lastly, develop an emergency response plan to deal with the worst-case scenarios.”

As for staying ahead of emerging threats, the first step is to perform a comprehensive risk assessment to understand what types of threats could pose the biggest problem for your organisation. “This assessment forms the baseline for your enterprise-wide mail security strategy. One of the easiest measures to take is to remain vigilant and always aware. Monitor not only the mail coming into your organisation but also current global events.”

RaySecur provides end-to-end solutions for mail security challenges, incorporating technology, training, and 24×365 image interpretation and threat verification. “We also assist companies in developing standard operating procedures, tailored to their current security needs and structure. Our technology provides a new level of efficiency without compromising the safety of screeners. Screeners can view inside packages using 3D video, easily detecting shifting powders and liquids or suspicious electronics.”