Chinese USBs spark cybersecurity scare in Slovenian government

Several Slovenian government institutions have purchased Chinese-made USB sticks infected with malware. The infection was detected soon enough and has apparently not caused any damage.

According to media reports, the Ljubljana company Extra Lux has sold the USB sticks to around 20 public administration bodies, having won a public sector supply deal as the cheapest bidder, CE Report quotes The Slovenia Times.

The Office for Information Security said the authorities have not found any damage that may have been caused by the malware.

However, considering the number of sticks in use and the nature of the threat, the office has declared a state of increased risk, instructing all public administration bodies not to use the USB sticks.

Possible preparation for cyberattack

The office's head, Uroš Svete said on 9 June the malware, reportedly a worm, found on the USB sticks could have been used in preparation for a cyberattack.

The sticks had been used by the Court of Audit. The infection was detected in time and reported to the office, which analysed the malware and shared the malicious code with other relevant authorities.

"Malware as such is a key challenge and a threat to cyber security. From the technical perspective it amounts to preliminary preparations for a cyber attack," said Svete, but added that the malware did not destroy any data. He said the malware installed on the USB sticks was several years old.

The office has handed the matter to the police.

USB sticks recalled

Extra Lux sold the USB sticks to public administration bodies, which ordered them directly based on the master contract.

Company director Gregor Bogataj told the N1 news portal that the sticks were "on general sale, not exclusively for public administration, in the supplier's original packaging, and were not repackaged."

He said the company had immediately initiated all necessary internal procedures to clarify the circumstances and was actively cooperating with the police.

Extra Lux also decided to recall all USB sticks from the same Chinese manufacturer distributed recently.

Problem detected by anti-virus programme

The authorities would not say which institutions purchased the infected sticks and how many they had, but N1 has reported there were about 20, including ministries and state agencies.

According to the investigative portal Necenzurirano, the list of those who purchased larger amounts of USB sticks from Extra Lux includes some state-owned companies such as Slovenian Railways and the Association of Health institutes, which represents hospitals and community health centres.

The sticks with a potential malware infection were detected at one of the institutions that are subject to information security requirements as part of a regular review. Their anti-virus programme detected the malware in new and unused USB sticks.

Under the existing law, institutions that are obligated to take cybersecurity measures include state authorities, local authorities and public agencies.

A new cybersecurity law which was passed in late May will kick in in roughly two weeks. It will significantly increase the number of these institutions - from 80 to more than 1,000 across 18 industries in the private and public sectors.