Last weekend, during President Trump’s visit to the Mar-a-Lago resort, a 23-year-old Chinese woman attempted to gain access to the Florida resort by lying and bluffing her way in. After some discussion at the gate, she was escorted to the reception of the resort where it was found out that she was not on the list of people that were allowed to enter.

According to the report a search of her belongings showed she was carrying four cellphones, a hard drive, a laptop and a thumb drive that was found to be infected with malware.

The word infected was emphasized by us because it raises an important question. A thumb drive can have malware on it that is inactive. The malware can be deployed when the carrier is able to connect it to a target system. But it can also have malware on it that will deploy automatically once it is connected to a system. For example, like we have seen in USB drives dropped in the parking lot of a corporation that a threat actor wants to infiltrate. The third option is that the thumb drive is actually infected without the knowledge of the carrier. We sometimes see an old worm resurface that has infected the root of a thumb drive and consequently infects the system it was connected to. These are usually older worms that were widely spread and get a second chance when someone finds and uses an old USB stick.

As you can see, it is very important to know which of these scenarios is true here. Given the circumstances we are led to believe that the first scenario might be true.

But even if this is true this seems an amateur attempt that we should not attribute to the Chinese government or one of their APT groups too quickly. While it is true that Russian and Chinese attempts to gain access to important information are getting more overt, this one seems to be of a less professional nature. We will have to wait and see. Ms Zhang has a detention hearing April 8 and an arraignment April 15, so hopefully we will learn some more then.

According to Malwarebytes’ expert on China and APT groups William Tsing:

Although China has a long history of manipulating members of the Chinese diaspora towards espionage goals, we lack sufficient information at this time to conclude definitively that Zhang was engaged as an intelligence collector.  What we can say for sure is that businesses at high risk of cyber attack – such as Mar a Lago – can take measures to lower their risk profile.  Knowing your customers, and what legitimate business activity looks like, can assist in spotting fraudulent or dangerous behavior.  Empowering employees to challenge or alert to suspicious activity can stop an attack in its tracks.  Lastly, hotels of any sort are functionally impossible to secure well due to their transient population, and should not be the location of any sensitive or significant business transactions.

What we do know is that secret service agents at the gate verified that the last name on the passport she presented matched that of one of the club members, so when she claimed she wanted to use the pool she was escorted to the front desk. There she showed an invitation – in Chinese – for a United Nations friendship event. There was no-one that could read the invitation, but no such event was scheduled, so Ms Zhang was questioned and eventually detained.

President Trump was not at the resort at the moment this went down, but he was playing golf at a nearby facility.