The already suspicious account of a Chinese national who allegedly carried four cellphones, a thumb drive containing malware, and other electronics as she breached security at President Trump’s private Florida club just grew even more fishy.
According to testimony presented Monday, Yujing Zhang’s hotel room had a signal detector and additional suspicious possessions in it.
The possessions in Zhang’s hotel included five SIM cards, nine USB drives, yet another cell phone, and a signal detector that could scan an area for hidden cameras, according to reports widely circulated Monday. In addition to the electronics, Zhang’s hotel room also contained more than $8,000, with $7,500 of it in US $100 bills and $663 in Chinese currency, The Washington Post reported.
The details came to light at a bond hearing on Monday in a Florida federal court. There, a Secret Service agent testified that the malware Zhang carried was capable of infecting a computer as soon as the thumb drive was plugged in. According to a report published Monday by the Miami Herald:
Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing. He stated that when another agent put Zhang’s thumb-drive into his computer, it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich said. The analysis is ongoing but still inconclusive, he testified.
The New York Times described the Secret Service’s thumb drive analysis slightly differently. According to this report:
Mr. Ivanovich testified that the computer analyst who reviewed Ms. Zhang’s devices said that the thumb drive she was carrying had immediately begun installing a program on his computer.
“He stated that he had to immediately stop the analysis and shut off his computer to halt the corruption,” Mr. Ivanovich said.
Federal prosecutors argued during Monday’s hearing that Zhang was a flight risk because she had no ties to the US and couldn’t be trusted to tell the truth.
“She lies to everyone she encounters,” prosecutor Rolando Garcia told the court, according to CNN.
Zhang’s federal public defender, Robert Adler, contented there was no evidence his client was a spy. “She did not have the type of devices that can be associated with espionage activities,” Adler said, according to The Washington Post. Federal prosecutors said they have made no allegations Zhang was involved in espionage.
The 32-year-old woman was arrested last weekend after giving conflicting reasons for her visit to the president’s club. She initially told a US Secret Service agent she was there to use the pool. A Mar-a-Lago security manager waved her past a security checkpoint after a “potential language-barrier issue” raised the possibility she was the daughter of a member who had the same last name. Once inside, Zhang allegedly told a receptionist she was there to attend a United Nations Chinese American Association event later that evening. After the receptionist confirmed no such event was scheduled to take place, Secret Service agents questioned her. They eventually arrested her on charges of lying to a federal officer and entering restricted property.
A search showed that, when Zhang entered Mar-a-Lago, she was carrying four cellphones, a laptop computer, an external hard drive, and a thumb drive. A preliminary forensic investigation found the thumb drive contained malware. Agents found no swimsuit in her possession.
Authorities have yet to say what kind of malware was stored on the thumb drive. They have also provided few if any details about the cell phones, hard drives, computer, and other electronics found on her person and in her hotel room.
Thumb drive hygiene
Monday’s testimony from the Secret Service raises questions about the security practices that the agency takes in protecting its computers against malware infections. The statement that an agent examining the seized thumb drive had to “immediately stop the analysis to halt any further corruption of his computer” is especially concerning. It suggests that the agent connected the drive to the same computer used for official Secret Service work. Typically, USB drives and other computer peripherals from unknown sources should only be analyzed using laboratory equipment that’s specifically designated for such purposes.
“As a taxpayer, I’m very concerned about where Agent Ivanovich’s laptop is and where it’s been since he plugged a malicious USB into it,” Jake Williams, a former hacker for the National Security Agency who is now a cofounder of Rendition Infosec, said on Twitter. “If this was the Secret Service quick reaction playbook, perhaps Zhang planned to get caught all along (not joking).”
As a taxpayer, I’m very concerned about where Agent Ivanovich’s laptop is and where it’s been since he plugged a malicious USB into it. If this was the Secret Service quick reaction playbook, perhaps Zhang planned to get caught all along (not joking).https://t.co/Vz9qiuKvFMpic.twitter.com/M5mwBm6wam
— Jake Williams (@MalwareJake) April 8, 2019
Thumb drives have long been used as ways to surreptitiously infect computers. The Stuxnet worm is the best known example of malware that was able to jump from thumb drive to a computer. While the Windows feature that allowed Stuxnet to spread has been locked down, security experts continue to view thumb drives as a major potential carrier of malware infections.
Monday’s hearing raised yet another question about Secret Service security. Adler, the public defender representing Zhang, got agent Samuel Ivanovich to admit that “the agency that protects the president largely relied on Mar-a-Lago staff to determine whether to admit her, didn’t see red flags in the devices she carried, and asked no further questions of Zhang once they believed she was related to another club member with the same last name—which is extremely common in China.”
Expect more scrutiny of the event, the resulting investigation, and the lax policies that led to the breach to continue, possibly for months to come.