Sony LYTIA 610 and the New Standard of Zoom Clarity
Factory-Installed Malware in Chinese USB Drives

The security of air-gapped networks—systems fundamentally isolated from the global internet—has traditionally hinged on the restriction of physical access to I/O ports. However, this very barrier becomes the primary point of failure when compromised hardware is introduced into the environment. The severity of this vulnerability is underscored by reports from Nikkei, which detailed infections within the infrastructure of the Japan Ground Self-Defense Force. Malicious code infiltrated these closed networks via USB flash drives from a Chinese manufacturer, remaining undetected for nearly a year, from 2024 through February 2025.
The scope of this problem extends far beyond military installations. An analysis of over 8,000 customer reviews on Amazon revealed systemic complaints regarding similar devices. While such incidents appear isolated in the Japanese market, more than two dozen confirmed cases were recorded in the United States between 2017 and 2025, with activity peaking in 2024. Users report that antivirus software flags threats immediately upon the first connection of a brand-new, out-of-the-box device.
Technical forensics indicate a sophisticated threat. Cybersecurity specialists discovered files with foreign naming conventions on the drives that cannot be deleted using standard OS tools. Furthermore, the signatures of the detected malware align with the toolsets of hacking groups previously linked to state structures in the PRC. This suggests that these are not random glitches, but rather a coordinated operation to embed "backdoors" into consumer electronics.
Such supply chain attacks are devastatingly effective because they bypass the majority of traditional network defenses. When malicious code is integrated at the firmware level or pre-installed during factory production, the system perceives the device as a trusted medium. In the context of industrial laboratories and research centers—where computers are intentionally disconnected from the internet—the USB port remains the only "window" into the system, making it an ideal channel for data exfiltration or sabotage.
Experts are weighing two primary theories regarding the origin of this issue. The first is deliberate state espionage, where the mass production of low-cost storage devices serves as a cover for delivering malware into strategically critical nodes across various countries. The second theory points to a catastrophic failure of cybersecurity hygiene at the manufacturing plants: the equipment used to flash the drives may have been infected due to personnel negligence, leading to the automatic replication of the virus across entire production batches.
It is worth noting that such "surprises" are not unprecedented in products from this region. Japanese industrial clients have previously encountered infected memory cards. These devices are often accompanied by other hallmarks of poor quality, such as capacity spoofing—where the firmware reports a high storage capacity, but the device begins overwriting old files or triggering errors once the actual limit is reached. Collectively, these factors transform cheap USB drives from convenient tools into potential cyber-threat vectors, necessitating rigorous control and pre-deployment screening before they are introduced into any critical infrastructure.

