Enterprise Mobility Management / BYOD , Fraud Management & Cybercrime , Governance & Risk Management

Suspect Arrested at Mar-a-Lago With Suspicious USB Drive

'Asian Female' Arrested at Trump Club Had Drive Containing 'Malicious Software'
Suspect Arrested at Mar-a-Lago With Suspicious USB Drive
The Mar-a-Lago club in Palm Beach, Florida. (Photo: Mar-a-Lago)

An "Asian female" has been arrested for attempting to access President Donald Trump's Mar-a-Lago club while allegedly carrying a thumb drive containing malware.

See Also: Close the Gapz in Your Security Strategy

Yujing Zhang, 32, allegedly gained illegal access to Trump's club in Palm Beach, Florida, during the past weekend, when he was staying there and made false statements to federal agents, including claiming that she wanted to use the pool. But federal agents said she didn't have a swimsuit.

Zhang appeared in U.S. District Court on Monday. On Tuesday, her defense attorney, Robert Adler, a public defender, said in a court filing that Zhang was invoking her right to remain silent. Adler couldn't be immediately reached for further comment.

Criminal complaint against Yujing Zhang

Here's what's known about the circumstances that led to her arrest: At about 12:15 p.m. local time on Friday, Zhang - described by agents as being an "Asian female," according to court documents - allegedly told a U.S. Secret Service agent manning a checkpoint across from the entrance to Mar-a-Lago that she sought entry to use the pool.

She presented "two Republic of China passports as identification, both in the name of Zhang and displaying her photograph," according to a criminal complaint signed by Samuel Ivanovich, a U.S. Secret Service special agent.

The Republic of China is the official name of Taiwan. But U.S. Department of Justice officials have noted that Zhang was carrying two passports apparently issued by the People's Republic of China. Officials at the Chinese embassy in the U.S., located in Washington, couldn't be immediately reached for comment.

"Due to a potential language barrier" with the Secret Service agent manning the checkpoint, the agent contacted the manager of the Mar-a-Lago "beach club," which said that Zhang was the surname of one of the club's members, suggesting that Yujing might be the member's daughter, according to court documents.

This enabled Zhang to proceed to a point where she was picked up by a valet driver in a golf cart shuttle, although she allegedly couldn't tell the driver where she wanted to go.

She was then dropped off at the main reception area, proceeded through a magnetometer screening checkpoint, and spoke to a receptionist, saying she was there to attend "a United Nations Chinese American Association event later in the evening," according to the complaint. It notes that no such event was scheduled, and the receptionist checked to see if Zhang was on any approved access lists, finding that she was not.

As a result, the receptionist flagged a nearby Secret Service agent and said Zhang was not authorized to be on the property, according to the complaint.

Queried by the agent, Zhang said she was there to attend a "United Nations Friendship Event," but could not produce "any legitimate documentation authorizing her entry to Mar-a-Lago for such a purpose," at which point she was detained and moved to a U.S. Secret Service facility in West Palm Beach for further questioning, according to court documents.

During a second interview, Zhang "claimed her Chinese friend 'Charles' told her to travel from Shanghai, China, to Palm Beach, Florida, to attend this event and attempt to speak with a member of the president's family about Chinese and American foreign economic relations," Ivanovich writes in the criminal complaint. "Agents were unable to obtain any information more specifically identifying Zhang's purported contact, 'Charles,' as Zhang claimed she has only spoken to him via 'WeChat.'"

Suspect Detained With Thumb Drive

When Zhang was detained, she was carrying four cellular telephones, one laptop computer, one external hard drive as well as a thumb drive, according to the complaint.

Ivanovich says that Zhang appeared to have a "detailed knowledge" of the English language and "ability to converse in and understand even subtle nuances of the English language," despite her apparent communication problems earlier in the day. He said that Zhang also waived her Miranda rights and consented to a search of the devices she was carrying.

"A preliminary forensic examination of the thumb drive determined it contained malicious software," according to Ivanovich's complaint. "No swimming apparel was found in Zhang's possession or on her person."

Two Charges Filed

Missing from the assessment, however, is any indication of whether the USB thumb drive contained malware that might be used to purposefully infect other systems or whether it may have been inadvertently infected without the carrier's knowledge.

From Thursday to Sunday, a U.S. government "Protective Zone" was in effect around Mar-a-Lago, due to Trump staying at his club during that time. Court documents note that the club perimeter was well marked by "restricted access warning signs"

Signage in place around Mar-a-Lago when President Trump is staying there (Source: Criminal complaint)

Zhang has been charged with making a false statement to a federal officer, which carries a maximum penalty of up to five years imprisonment; as well as entering or remaining in a restricted building or grounds, which can be punished by up to one year's imprisonment and a $100,000 fine.

But Zhang may face further charges. "Because this affidavit is submitted for the limited purpose of establishing probable cause, it does not include all of the details of the investigation," Ivanovich wrote.

Security Risk: USB Thumb Drives

USB thumb drives can be a security nightmare. In the past, attackers have been known to leave malware-infected thumb drives in the parking lot of organizations that they want to hack. In at least some cases, employees of the targeted organization will plug the thumb drive into a work system, potentially giving attackers a way to gain remote access.

In other cases, attackers take a more direct approach.

The Stuxnet malware was reportedly able to infect systems controlling Iranian centrifuges in 2007 after being smuggled into Iran's secure Natanz facility on a USB thumb drive (see: Black Hat Keynoter: Beware of Air Gap Risks).

More recently, a bank heist campaign dubbed DarkVishnya that began in 2017 has involved attackers stealing funds from at least eight Eastern European banks, using a combination of inexpensive portable laptops and netbooks, small Raspberry Pi computers, as well as $100 "Bash Bunny" USB sticks designed for penetration testers and systems administrators - billed by manufacturer Hak5 as being "a simple and powerful multifunction USB attack and automation platform" - to hook into targets' local area network (see: Eastern European Bank Hackers Wield Malicious Hardware).

Researchers at Moscow-based Kaspersky Lab say that attackers potentially pose as job seekers or package couriers to gain access to a targeted organizations' premises - typically, a branch office. Subsequently, the attacker plugs their devices into the LAN, installing it in as surreptitious a location as possible, after which the gang gains remote access, conducts reconnaissance on the network and remotely executes files, researchers say.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.