Physical Access Risks: FBI Warns of In-Person USB Attacks by SRG

The Federal Bureau of Investigation (FBI) has issued a specialized alert regarding a tactical shift by the Silent Ransom Group (SRG), also known as Luna Moth. According to SecurityWeek, this threat actor is moving beyond traditional Phishing and remote exploitation to employ physical social engineering. The campaign specifically targets law firms, with operatives physically entering premises to insert malicious USB drives directly into workstations or servers to facilitate data exfiltration.

Physical Social Engineering and In-Person Infiltration

Historically, the TTP of sending physical operatives to a target location has been the domain of high-tier intelligence agencies or specialized penetration testing teams. However, the Silent Ransom Group is now leveraging this method to bypass traditional network defenses. By gaining physical access, the group eliminates the need to defeat perimeter firewalls or sophisticated EDR solutions that focus on remote entry points. This strategy highlights a significant Zero Trust failure where internal physical environments are often less scrutinized than external digital ones.

The operatives reportedly masquerade as delivery personnel, maintenance workers, or other trusted visitors to gain entry to law firm offices. Once inside, they seek out unattended computers or exposed server ports. The goal of this Silent Ransom Group law firm targeting is typically the theft of sensitive legal documentation, intellectual property, or client data which can then be used for extortion.

How to Detect Silent Ransom Group USB Attacks

Detecting a physical breach requires a fusion of physical security monitoring and endpoint telemetry. From a technical perspective, a SOC should monitor for the sudden connection of unauthorized Hardware Interface Devices (HID) or removable storage. While no specific CVE is uniquely associated with the USB hardware itself in this alert, the payloads often utilize automated scripts to establish a C2 channel.

Defense teams should look for the following IoC patterns and behaviors:

• Unexpected PowerShell or Command Prompt execution immediately following a USB insertion event.
• Modification of registry keys related to mounted devices or autorun settings.
• External network connections to known malicious domains or IP addresses associated with SRG infrastructure.
• Unusual Lateral Movement within the network shortly after an unverified visitor was on-site.

When defenders attempt to detect Silent Ransom Group USB attacks, they must also analyze physical access logs. Correlating the timestamp of a suspicious USB event with building access badge logs or CCTV footage is essential for confirming the presence of an in-person operative.

Mitigating Physical Access Threats and USB Malware

To effectively combat this threat, organizations must move beyond digital-only security models. The following measures are recommended to harden the environment against physical infiltration:

1. Port Security: Physically block unused USB ports or use software-defined policies to disable USB storage devices globally across the workstation fleet.
2. Visitor Management: Implement rigorous identity verification for all visitors, including third-party contractors and delivery staff, ensuring they are escorted at all times.
3. Endpoint Hardening: Ensure that EDR policies are configured to alert on any device mounting that occurs while a workstation is in a locked state or during non-business hours.
4. Hardware Awareness: Educate employees on the risks of ‘lost’ USB drives or individuals attempting to access hardware under false pretenses.

This shift by SRG indicates that even if an organization has a mature digital security posture, the physical layer remains a viable Zero-Day entry point if left unprotected. By mitigating physical access threats and USB malware, law firms can protect the confidentiality of their clients and reduce the likelihood of a successful extortion attempt.