July 27, 2018

Here’s a timely reminder that email isn’t the only vector for phishing attacks: Several U.S. state and local government agencies have reported receiving strange letters via snail mail that include malware-laden compact discs (CDs) apparently sent from China, KrebsOnSecurity has learned.

This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer. According to a non-public alert shared with state and local government agencies by the Multi-State Information Sharing and Analysis Center (MS-ISAC), the scam arrives in a Chinese postmarked envelope and includes a “confusingly worded typed letter with occasional Chinese characters.”

Several U.S. state and local government agencies have reported receiving this letter, which includes a malware-laden CD. Images copyright Sarah Barsness.

The MS-ISAC said preliminary analysis of the CDs indicate they contain Mandarin language Microsoft Word (.doc) files, some of which include malicious Visual Basic scripts. So far, State Archives, State Historical Societies, and a State Department of Cultural Affairs have all received letters addressed specifically to them, the MS-ISAC says. It’s not clear if anyone at these agencies was tricked into actually inserting the CD into a government computer.

I’m sure many readers could think of clever ways that this apparent mail-based phishing campaign could be made more effective or believable, such as including tiny USB drives instead of CDs, or at least a more personalized letter that doesn’t look like it was crafted by someone without a mastery of the English language.

Nevertheless, attacks like this are a reminder that cybercrime can take many forms. The first of Krebs’s 3 Basic Rules for Online Safety — “If you didn’t go looking for it don’t install it” — applies just as well here: If you didn’t go looking for it, don’t insert it or open it.

40 thoughts on “State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China

  1. Richard

    Targeted attack if so by whom? There’s a lot of forensic information in a mailed physical package. Lets hope someone is going through everything with a fine toothed comb.

  2. The Sunshine State

    I wouldn’t trust anything from Mainland China via the postal service or email (spam)

  3. Gnecht

    State Archives, Historical Societies, and Cultural Affairs… those would not be my first guess of attempted targets. Apparently in someone’s estimation these are high-value or easier victims? Maybe if records from closed-door meetings would be exposed somehow…

    1. DavidK

      Perhaps it was a proof-of-concept attack. Government targets, sure, but low-priority ones that could serve as a sandbox for testing that could go unnoticed for quite some time.

      1. PJJ

        And probably less vigilant about security than a law enforcement or revenue department, which could be the eventual target for which a history society could be used as a springboard. I’m guessing if anyone used the CD, their address would be used in the spearphishing attack against the real target.

    2. JP

      There could be other motives or avenues of revenue other than espionage. The attack goal could be ransomware or crypto mining, ransomware being more likely in this case since crypto mining would require a more stealthy attack vector.

    1. Chester copperpot

      I’ve spoken with them about this. No data breach. Malware only. Recovery should be complete or near complete by now.

  4. JCitizen

    I can’t vouch for recent times, but it used to be common to get malware in driver discs for PC peripherals and such. I caught a real corker once on a printer driver CD, that my solutions couldn’t identify but my UTM appliance detected the network probing this attack was causing. Fortunately uninstalling the driver fixed the problem, and I went to the printer OEM website and downloaded the driver from there. No problems after that, but I sent a scathing email to their support people about who they contract for burning their software. I think some of these companies either have criminals working inside, or let anyone who pays them add these malicious code to there customer’s products. Perhaps many have cleaned up their act since then, because neither I or my clients have reported any in recent times. That may be partly because I always recommend going to the OEM website to get their drivers from now on.

  5. Oof

    You think they would at least spend a little bit of money on a translator.

    1. Jay

      And damn any Americans who go to China to teach English.

  6. silverhe

    Almost seems too obvious. Agree with earlier post… a lot of information for forensics.

  7. brooke

    Since the government has been scanning the to/from of all packages for decades, you would think that they could easily tell anyone who got this that they got it and end this in a heartbeat. All of this spying could be so useful in protecting us but instead…we all have to get together as a community and share info. The gov has it, they could act, seems like a nobrainer.

  8. JimV

    It’s a vast understatement to say that China has a large population with all of the usual standard deviations from norms in human mental and ethical capacity, so it would not be difficult to find and cultivate a few characters to pull off this stunt, or for one such character to undertake it as some brilliant notion on behalf of his (or her) patron.

    I’ve received small packages from China with replacement laptop parts and some other small, lightweight things purchased on eBay, but having worked extensively in many places around China over the past 3 decades I would absolutely avoid giving that CD any opportunity whatsoever to execute its malware outside of a double- or triple-walled sandbox…

  9. Gob Bluth

    To :
    Very Important Governmant Person

  10. Leslie Smyth

    Could be misdirection. I can think of a few actors who’d like to create problems between US and China. Plus there are a ton of Russians living around Harbin.

    1. Don

      Do you think this is how Russia’s intelligence agencies work? You cannot be working for an intelligence service yourself, that much is certain.

  11. Inquiring minds

    Can Brian provide the listed ship from address? I’m wondering if the ship-from address uniform on all of the packages? I’d like to know what the address was listed..

  12. tony

    There are an infinite number of attackers. Stopping them is impossible. Especially when they are outside of United States of America jurisdiction.

    However, there are finite number of United States of America people. Educating them is feasible.

    There are a finite number of computers in United States of America. Securing them is feasible.

    In other words, spend our time and money on things under our control. Don’t waste too much time and money trying to pointing out the bad guys. As soon as you catch them, another pops up. They are infinite.

    Secure your systems. Educate your people.

    1. SkunkWerks

      I don’t agree that the number of attackers is “infinite”. I don’t think it’s any more infinite than the number of potential victims.

      I do think that the ease of email-based phishing campaigns certainly makes it seem that way though- specifically that thousands (or hundreds of thousands) of identical attacks can be shipped out at a ridiculously low cost, and all you really need to hope for is a few weak links.

      I say that even knowing this one came by snail mail. But snail mail doesn’t really raise the cost of an attack like this one all that much (especially not if the change in delivery method brings more of a cast of authenticity), and I feel like most of the same playing field applies here.

      I also agree that educating your users (I like to call it “weaponizing”, myself) remains one of the best solutions. Although it’s also one of the most “logistically” complicated solutions too.

      There, complacency (of the educators, moreso than the users, i.e.: “the common user is just too ignorant to understand the dangers, so why try?”) and reticence/stubbornness are arguably your worst enemies.

      I find it helps to keep in mind that you’re not aiming to get all your users an AS in computer security, you just want to impart enough basic information to them to get them to raise their proverbial hackles under the appropriate circumstances- and then bring their feeling of unease to you.

      Most average users are overwhelmed and give up on understanding very quickly- often because they don’t know where to begin.

      You need to show them where to begin.

  13. Inquiring mind

    Was the ship-from address the same listed for all of the packages? I’d like to know what was listed.

  14. Hans

    How does one get infected with vectorware, simply
    by playing a CD??

    1. Jody Gilbertson

      Joe, I’m still laughing! AOL disks!

    2. Steve

      My first thought as I began to read the story was “Oh no… all those old AOL discs are rising from the dead!”

  15. thoromyr

    The MS-ISAC notice was an alert about “suspicious” envelopes — there was no claim that the CD or documents contained on it were malware laden.

    While I understand the caution of MS-ISAC in sending a timely warning for agencies to be alert, reporting this as malware is premature.

    Further, apparently Krebs was provided with the images so he should be aware that not only does the physical letter appear to be the result of a machine translation, the last line in the letter gives that as a claim. (“This article uses computer translation without manual proofreading.”)

    The whole thing is very suspicious because there is no immediate explanation for it. The targeting is strange. The method is strange. The lack of rationale for sending or receiving the package is strange. Using something as expensive as airmail is strange.

    My two guesses are that:

    1) some moronic bureaucrat did something moronic

    2) someone wants to make china look like bumbling fools

    But with the present information it’s really anyone’s guess. Other than jumping to conclusions that it is malware and an attack on the places to which it was sent. While that may end up being the case we really don’t know that at this time.

    1. Anon404

      “The MS-ISAC said preliminary analysis of the CDs indicate they contain Mandarin language Microsoft Word (.doc) files, some of which include malicious Visual Basic scripts”

      Are you saying that this part of the article is not correct and that MS-ISAC did not make this statement?

      1. Anon302

        This part of the article is correct and MS-ISAC made this statement, but is not true. There are legitimate use cases for marcos. Not all docs with VBA are malicious. But the main point of the alert is correct, don’t put weird Chinese CDs into computers.

        1. Bios

          He didn’t say all of them were. He said some of them were. You’re arguing nothing mate.

  16. John kurzman

    Reminds me of people getting usb’s to transfer files. But really, since plugged into usb, could pretend to be a keyboard or other device type and do who knows what.

  17. Ewan Lynn

    Surely such an attack, using such a method is too obvious. If I were to send malwaretk someone, I’d definitely not leave any trace, much less leave a document written in Chinese with a Chinese postmark. Maybe the attacker expected the security people to check the disc. Maybe it’s a test of a new malware to see if the sandboxing and other security measures applied by the western security agencies are up to the attacker’s new malware.

  18. Old Lady

    I didn’t read anything here that proves anything was nefarious other than the unfounded statement …”malicious Visual Basic scripts”. Define “malicious”! What does the bad script do?

    This hate-on for China by the USA needs to be tested and confirmed before accepting anything the USA claims. Lest we forget, “weapons of mass destruction”, Noriega, Contra Affair, Oliver North, Vietnam, Afghanistan, or any of the 244 USA involved wars since confederation – and we should believe this tale?

    The USA doesn’t need such similar tools the Chinese are alleged to be using because the USA has Facebook!

    The pot is calling the kettle black. It’s just more US double-reversing engineered hate propaganda.

    1. Catwhisperer

      Just to argue the point Old Lady, but I manage two corporate websites, and I get thousands of attacks from Chinese IP addresses per week, which are blocked CDIR /16. These attacks are continuously probing for WordPress weaknesses or open administrative pages. I get them from other countries of origin, but NOTHING like from China. Those of us that actually do IT, specifically things of a security nature, understand very well the nature of our opponent. There is no hate-on for us, just due diligence.

      Have you ever studied Sun Tzu, Old Lady. I would recommend you buy the book, preferably the Thomas Cleary edition, if you can find it. Yes I believe the tale, just like I believe the tale of Russian meddling in the last presidential election. Both operations are right out of the 3300 year old teachings of one of the first instructors in martial philosophy…

    2. Bios

      Deletes your C drive. Emails your passwords to China. Spams your contacts. Downloads and installs a remote access point to your desktop. Records and transmits your keyboard inputs.

      Pretending every state actor isn’t doing this is naive and your conspiracy theories are unconvincing and unfounded.

    3. SkunkWerks

      I think one of the most intellectually-damaging aspects of “whataboutism” is that it tries to suggest things are “unknowable” by virtue of the sheer number of things that might possibly be known.

      We can in fact understand the forest in spite of the trees, of course, but this is a classic human “blind spot”.

      Confounding the matter further by describing in terms of a “hate-on” for a given country/national origin further oversimplifies this topic.

      Those of us who watch these attacks- both on our personal resources, and in news sources like Krebs- have a pretty good idea of the number and nature of these attacks.

      Some of them are almost certainly state actor-type operations attributable to the intent of the country of origin, but I’d say far more of them are due to the regional security profile of the area.

      Classically Asiatic regions sport older, less secure computers, so naturally they sport more (and more practiced) malicious actors- even the freelancing types.

  19. FoxMulledHer

    Three things I know about secret services:

    Bluff, double-bluff and triple-bluff

    Could be incompetent operatives/amateurs
    Could be state actors looking to discredit china
    Could be recon

    As mentioned by others, I’m sure secret services are all over it. We’re assuming this is bad guys trying to get in… could be ‘good guys’ trying to get out. I’d be cryptanalysing the written doc, crytpo/stego on the written doc and e-docs, disk itself – covert channels. Friendly forces?


  20. Robert

    Just when you thought things couldn’t get any more bizarre in the hacking world. I Googled for recent moronic chinese bureaucrat being tried and hung, nothing found.

    Almost sound like something the good folks in some, oh I don’t know, country in Africa might try. Poor idea, poorly worded, dumb dumb dumb but you won’t know what might work until you try it.

    Could have been worse than old AOL cd’s, how ’bout a Barry Manilow singing in Mandarin CD? Now, that, could destroy anyones computer and everyone would pay the ransom to make it stop 😉

  21. Readership1 (previously just Reader)

    China is a major shipper to the US, as part of that huge trade imbalance talked about in current events.

    A byproduct of it all is the fact that packages from China don’t raise alarm bells, even though they’re an enemy of freedom and intellect.

    If only our government would do its constitutionally mandated responsibility, to provide for a common defense, it would stop Chinese junk and *their CD-ROM malware* from reaching us.

    Check this out about cheap shipping from China. It’s disturbing:


  22. John IL

    Worse then those AOL disks I used to get years ago? If your dumb enough to get something like this in the mail and drop it into your PC and open up the files. You deserve whatever malware is on them.

  23. Scotty the Menace

    Please tell me no one fell for the old “launch the files on this unexpected CD from China” trick. My last remaining shred of faith in humanity might crumble.

Comments are closed.