‘Tick’ espionage group is likely trying to hop air gaps, researchers say

New research shows that a cyber espionage group has targeted USB drives in a likely effort to infect “air gapped” systems cut off from the internet.

A cyber espionage group known for attacking organizations in Japan and South Korea has targeted USB drives in a likely effort to infect “air gapped” systems, according to new research.

The so-called Tick hacking group has gone after a specific type of USB drive made by an unnamed South Korean defense company, said researchers with cybersecurity company Palo Alto Networks.

The newly revealed malware isn’t part of an active campaign and was likely used in attacks years ago, according to the researchers. Nonetheless, the apparent effort to infiltrate air-gapped systems speaks to the lengths to which advanced hackers will go to reach sensitive infrastructure.

Whereas other malware used by Tick requires an internet connection to reach a command-and-control server, the group’s “SymonLoader” malware needs no such connectivity, according to the researchers. Instead, the malware tries to extract a hidden payload from a plugged-in USB drive – a technique that is “uncommon and hardly reported among other attacks in the wild,” they wrote.


The malware only tries to compromise systems running Microsoft Windows XP or Windows Server 2003, suggesting “an intentional targeting of older, out-of-support versions of Microsoft Windows installed on systems with no internet connectivity,” the researchers added.

The myth that an air gap is a panacea to hacking was punctured by the developers of Stuxnet, the computer worm that destroyed an estimated 1,000 centrifuges at an Iranian enrichment facility beginning in 2009. Air-gapping is now recognized as an important but potentially insufficient measure to protect sensitive assets from advanced hackers.

The research advisory raises questions on how the Tick attack unfolded. Without access to the compromised USB drive and the malicious file likely planted on it, researchers weren’t able to completely reconstruct the attack. They did, however, have “more than enough information” to conclude that the activity they found is very likely malicious.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts