New details are starting to trickle in about the Chinese woman arrested while carrying a suspicious number of electronic devices and trying to get inside President Donald Trump’s private Mar-a-Lago club — among them that a USB drive in her possession began to auto-install files on a Secret Service agent’s computer the minute he plugged it in.
At a hearing in West Palm Beach on Monday, a Secret Service agent recounted, according to the Miami Herald, that a fellow agent had inserted a USB drive taken from the suspect into his computer. By the description provided at the hearing, it appears it contained AutoRun code (or something like it), which is a common feature of spytools. The code essentially allows malware to execute on a machine the second an infected drive is plugged in.
Initial reports regarding the suspect’s arrest referenced the confiscation of a drive containing “malicious malware,” though the specific type of malware has not been disclosed.
New York Times’ Nicholas Fandos tweeted on Monday that a “law enforcement official familiar with the investigation” had clarified the machine in question was a “controlled, off-network device” at the Secret Service field office in Miami, and that no sensitive system would have been compromised.
A law enforcement official familiar with the investigation says the computer in question was a controlled, off-network device in the Secret Service's Miami Field Office. Source says never any risk to the agency's computer network with regard to this thumb drive. https://t.co/ioNrvnTZdo
— Nicholas Fandos (@npfandos) April 8, 2019
The agent also reportedly testified that analysis of the drive had to be immediately halted to prevent further corruption of his device, according to the Herald:
Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing. He stated that when another agent put Zhang’s thumb drive into his computer, it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich testified. The analysis is ongoing but still inconclusive, he said.
(Numerous U.S. media outlets as well as court documents have identified her using the more Western name construction “Yujing Zhang.”)
At the time of her arrest, she was carrying four phones, two Chinese passports, a laptop, and the malware-loaded drive. Prosecutors said Monday that a search of her hotel room also turned up nine USB drives and five SIM cards, among other electronics.
AutoRun USB drives are a tool oft-used by security consultants hired to test the physical security of an office space. Malicious hackers may use them to install a keyloggers on computers, which can then record passwords and other sensitive information, or spread worm-like viruses laterally across a network. Hackers have even booby-trapped USB peripherals, such as a computer mouse, to infect systems.
Also found was a device used to detect hidden cameras — which, to be fair, are a common problem throughout East Asia, including China. (Sales of hidden-cam detectors soared last month in South Korea, for example, where thousands of hotel guests are being secretly filmed each year.)
While the Herald’s story sparked some initial confusion over whether the Secret Service did or did not carelessly load the drive onto a work system — speculation about which appears to have been premature — an agency checkpoint at the Mar-a-Lago club did let Zhang through on March 30 after hearing that “she wished to use the pool,” according to the Herald. After communication with the woman proved difficult due to a perceived language barrier, staff at the club became convinced she was related to a member who has the same surname. It was later discovered that she was not on the approved guest list.
When interviewed, Zhang appeared to give conflicting reasons for her presence at the club, at one point saying a man named “Charles” had invited her to attend a “United Nations Friendship Event.” Her attorneys have reportedly confirmed she was referring to a man named Charles Lee, whom the Herald previously reported runs a business selling Chinese clients on access to U.S. politicians at the club. Lee’s organisation is called the United Nations Chinese Friendship Association (though it has no affiliation with the much more well-known intergovernmental organisation titled the United Nations).
Zhang’s attorney reportedly said she’d paid $28,197 to a Beijing-based company for a travel package and pointed to the Herald’s own reporting about Lee selling Chinese buyers on the opportunity to meet Trump or members of his family at the club.
Secret Service agents — really on top of their game here — conducted a four-and-a-half hour interview with Zhang, but failed to realise they were only recording video. There is no audio of the interview.
Over the past few days, Trump has cleared house in the Department of Homeland Security, the Secret Service’s parent agency, with one official describing the situation to CNN as a “near-systematic purge... at the nation’s second-largest national security agency.” That has included the departure of DHS chief Kirstjen Nielsen—reportedly on grounds that the president thought she was insufficiently hardline on border security — but also the Secret Service’s director, Randolph D. “Tex” Alles.
Alles sought to portray his departure not as a firing, but part of an “orderly transition” of leadership planned in advance by the White House, according to CNN. One official also told CNN that the Mar-a-Lago breach did not play a role in the White House’s decision to replace Alles, while Trump told reporters he “could not be happier with Secret Service” performance after the breach occurred.
However, according to the New York Times, while Trump had privately become sceptical of Alles’ standing among rank-and-file Secret Service personnel before Zhang’s arrest, some officials at the service believe her ability to slip past security at Mar-a-Lago was a nail in the coffin. Those sources said Alle’s departure was “accelerated in part because of the episode,” the Times wrote.
A joint investigation by Gizmodo and ProPublica in 2016 found security at Mar-a-Lago (oft-annoying referred to as the “Winter White House”) more than lacking. Several Wi-Fi networks were ruled extremely hackable by professionals, even from as far as 243.84m away, with the proper equipment. The club had set aside nearly $634,439 for security that year, the investigation found.