It turns out that Yujing Zhang, the Chinese woman arrested when she tried to enter President Donald Trump’s private Mar-a-Lago club in Palm Beach, Florida, on 30 March, had a number of suspicious devices in her hotel room – as in, tools good for inflicting malware and spying, and more than $8,000 in cash, all suggesting that she was here for espionage.
As it was, she was carrying four cellphones, a thumb drive containing malware, and other electronics when she breached security at President Trump’s private Florida club. In getting past multiple security checkpoints, she first told US Secret Service agents that she was bound for the hotel’s pool.
Then, supposedly confused by a language barrier that came and went as Zhang used and then apparently forgot competent, nuanced English, Mar-a-Lago staff thought she might be the daughter of a club member with the same last name – one that’s common in China. Next, Zhang told Secret Service agents that she was headed for some kind of United Nations Chinese American Association event that night… or, as she said in her next version, a “United Nations Friendship Event” between the US and China.
As the Miami Herald reports, during a bond hearing in a Florida federal court on Monday, federal prosecutor Rolando Garcia said that a search of Zhang’s room yielded still more gadgetry: a “signal-detector” device used to reveal hidden cameras, USD $7,500 in $100 bills, $663 in Chinese currency, nine USB drives, five SIM cards and other electronics.
…and no swimsuit.
CNN quoted Garcia during the hearing, which was held to determine whether Zhang would be released on bail:
She lies to everyone she encounters.
Zhang was charged with two counts: making false statements to federal authorities and a misdemeanor offense of entering a restricted area without authorization. She hasn’t been charged with offenses that could be associated with international spying, but an FBI counterintelligence squad is investigating the incident as part of a broader investigation into Chinese espionage, and prosecutors are treating Zhang’s case as a national security matter, sources told the Miami Herald.
Malware-containing thumb drive
At Monday’s hearing, Secret Service agent Samuel Ivanovich – who interviewed Zhang on the day of her arrest – testified that when a Secret Service agent plugged Zhang’s USB drive into his personal computer, it immediately began to run a program. From the Miami Herald:
[Ivanovich] stated that when another agent put Zhang’s thumb-drive into his computer, it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich said.
Ivanovich said in an affidavit that a preliminary forensic examination of the thumb drive has determined that it contained malware.
Zhang’s federal public defender, Robert Adler, denied that his client had any devices that could be used for spying.
Why would anybody plug that drive in outside of a forensics lab?
According to Ivanovich’s court testimony, an agent plugged an unknown, potentially malware-carrying device into a computer that presumably was used for official Secret Service work, instead of into a system rigged up for computer forensics – hence, what sounds like a hasty pull-out of that drive when it started running a program.
The apparent lack of security hygiene used by the Secret Service is concerning. Jake Williams, a former hacker for the National Security Agency (NSA) who’s now a cofounder of Rendition Infosec:
As a taxpayer, I'm very concerned about where Agent Ivanovich's laptop is and where it's been since he plugged a malicious USB into it. If this was the Secret Service quick reaction playbook, perhaps Zhang planned to get caught all along (not joking).https://t.co/Vz9qiuKvFM pic.twitter.com/M5mwBm6wam— Jake Williams (@MalwareJake) April 8, 2019
If the drive had been plugged into an air-gapped system, the agent wouldn’t have had any reason to pull it out to “halt any further corruption of his computer,” Williams points out. He compared it to the USB drive that carried the Stuxnet malware. Both Stuxnet and Conficker could execute malicious code even with AutoRun and AutoPlay disabled, without user interaction.
Ivanovich testified on Monday that the analysis of the thumb drive is “ongoing but still inconclusive.”
According to the Washington Post, a law enforcement official said the computer wasn’t part of a government data network, and no sensitive information was put at risk.