Wir verwenden künstliche Intelligenz für Website-Übersetzungen, und obwohl wir uns um Genauigkeit bemühen, kann es sein, dass sie nicht immer 100%ig präzise sind. Wir danken Ihnen für Ihr Verständnis.
Home/
Blog
/
APT37, LNK Files, and the USB Risk in Air-Gapped…
APT37, LNK Files, and the USB Risk in Air-Gapped Environments
Von
OPSWAT
Jetzt teilen
Recent intelligence on APT37 emphasized the critical reality that many organizations still treat air-gapped networks as impenetrable, despite evidence to the contrary. When adversaries are denied network-based entry points, they pivot to physical vectors. In industrial, defense, and critical infrastructure environments, that vector is almost always removable media.
USB devices remain operationally necessary for tasks like firmware updates, log extraction, vendor maintenance, and engineering file transfers. APT37's deployment of malicious LNK shortcut files serves as a textbook example of how this attack surface is leveraged with minimal technical complexity and maximum operational impact.
Why LNK Files Represent a Significant Threat to Isolated Environments
An LNK file is a native Windows shortcut. Its appearance is indistinguishable from that of a legitimate folder or document, which is a detail an adversary would deliberately exploit.
Beneath its benign presentation, an exploited LNK file is capable of:
Invoking PowerShell or other native system interpreters
Executing concealed scripts stored on the removable device
Staging and triggering payloads without requiring external connectivity
Leveraging trusted operating system utilities to evade detection
None of these execution paths require network access, user macro approval, or the presence of a standalone malware binary. This makes the shortcut itself the threat delivery mechanism, which can have a significant impact within an air-gapped environment. For instance, an operator inserts a USB drive, double-clicks what appears to be a routine engineering document, and the compromise initiates silently within the local environment, without raising immediate alarms.
The Operational Reality of Removable Media Risk
The underlying problem is not the existence of USB as a technology. It is the absence of governance around its use. Across many OT environments, the current state reflects a significant control gap:
Removable media is inserted directly into production and engineering workstations without pre-screening
Files are opened without undergoing any form of content inspection
There is no centralized visibility into what data was transferred, when, or by whom
Policies governing executable-capable file types, such as LNK, EXE, or script files, are either absent or inconsistently enforced
Sophisticated threat actors do not need to defeat technical controls when operational practices provide an unobstructed path. This is the gap between APT37 and similar actors that actively exploit.
The most dangerous assumption in OT security is that physical isolation equals protection. In every critical infrastructure environment I've worked with, removable media is operationally necessary, and that necessity is exactly what threat actors count on. When a USB device bypasses inspection and reaches an engineering workstation, you're not dealing with a network problem anymore. You're dealing with the consequences.
Itay Glick
GM, OT Security and Hardware Engineering
Why a USB Security Kiosk is Critical Control
Relying on endpoint detection after a USB device has been inserted into a production asset is a reactive posture. In OT environments, a reactive approach makes it too late to contain a breach. The most operationally sound approach is to enforce content inspection before removable media reaches any production system.
A USB security kiosk is a solution that establishes a controlled, mandatory checkpoint between the external environment and the OT/ICS network boundary. With removable media being processed through a capable inspection station prior to use, each device is subject to:
Malware scanning with multiple engines to detect known threats
File Content Disarm and Reconstruction to neutralize active content within files
File-type policy enforcement to restrict non-approved formats from entering the environment
Device-level inspection to assess the integrity of the media itself
Comprehensive audit logging to maintain a full chain of custody for every transfer
This architecture physically decouples the inspection process from production systems, ensuring that high-risk content is neutralized before it can reach any operational asset.
How Kiosks Directly Mitigate LNK-Based Attack Chains
A properly configured scanning kiosk workflow treats LNK files and similar executable-capable artifacts as high-risk objects by default. Operationally, this means:
Shortcut and script files are automatically blocked at the inspection stage
Executable content is stripped from approved file types
Suspicious command structures embedded within files are identified and neutralized
Only explicitly authorized file types are permitted to pass into the OT environment
If a threat actor embeds a malicious payload within an LNK file, it is intercepted and remediated before the USB device ever reaches an engineering workstation. If organizational policy prohibits shortcut files entirely, they are filtered out at the kiosk, and the attack chain is severed before it can be initiated.
Securing the Physical Perimeter
Air gaps deliver their strongest security assurance when controls are enforced at the physical layer. A USB security kiosk provides organizations with:
Centralized policy enforcement across distributed facilities and operational sites
Consistent control application that reduces dependency on individual user judgment
Complete operational visibility into all removable media activity
Audit-ready documentation for compliance with regulatory and industry frameworks
Reduced risk exposure for engineering workstations, safety systems, and other high-consequence assets
This is especially critical in environments where a single compromised endpoint can propagate and impact production continuity, personnel safety, or grid reliability.
Inspection before insertion isn't the best practice. It's the only practice that closes the gap.
Itay Glick
GM, OT Security and Hardware Engineering
How OPSWAT Helps Secure Your Critical Infrastructure
Air-gapped environments are not compromised because they are connected. They are compromised because removable media is trusted by default. With sophisticated, targeted campaigns against critical infrastructure, that default assumption is a liability organizations can no longer afford to carry. When removable media is part of your operational workflow, OPSWAT's Peripheral and Removable Media Protection solutions deliver multi-layered controls that close this gap.
MetaDefender Kiosk™: Secure Removable Media Threats at the Point of Entry
To defend against USB-based attack vectors, MetaDefender Kiosk acts as a physical scanning station to safeguard organizations’ assets. It integrates with proven, industry-leading solutions and technologies to sanitize data before it enters critical environments. Combined with solutions like MetaDefender Managed File Transfer™ (MFT) and MetaDefender Media Firewall™, MetaDefender Kiosk gains additional layers of defense can be added to support safe file transfers and enforce scan policies.
MetaDefender Endpoint™: Pre-Run Protection and Device Control
MetaDefender Endpoint strengthens endpoint security and provides protection for peripheral and removable media in critical environments. It actively detects and blocks removable media devices until they are thoroughly scanned and verified to be clean before granting them access to the system.
Media als zusätzliche Verteidigungsschicht
OPSWAT provides additional solutions to support a defense-in-depth strategy to enable multi-layered protection by validating media and enforcing scanning and sanitization policies.
MetaDefender Media Firewall is an easy-to-use hardware solution to protect critical host systems from threats carried by removable media. It works alongside MetaDefender Kiosk as a physical layer within OT environments to ensure that no unscanned removable media can bypass entry points.
MetaDefender Endpoint™ Validation is a lightweight tool installed on endpoints and serves as a checkpoint to ensure that only files scanned by MetaDefender Kiosk can be opened, copied, selected, and accessed by the endpoint.
Industry-Leading Technologies
Both MetaDefender Kiosk and MetaDefender Endpoint utilize proven, globally trusted technologies, such as Metascan™ Multiscanning, which achieve 99.2% malware detection rates using 30+ anti-malware engines. They also employ Deep CDR™ Technology to proactively remove malicious content from files without compromising functionality. Along with performing vulnerability assessments to identify known software flaws in removable media and providing robust sensitive data leak protection, both solutions provide deep, multi-layered defense for IT/OT networks against peripheral and removable media threats.
Executive Takeaway
APT37 did not overcome air-gap isolation by defeating the network security architecture. They exploited operating system functionality and removable media workflows, which are entirely within the scope of organizational control.
To address this challenge, prevention must occur before execution reaches the endpoint if removable media is part of your operational workflow. In most OT/ICS environments, it is. As a result, it must be strictly governed like any network perimeter control:
Inspect before insertion: No device should reach a production system without prior screening
Log before transferring: Every media interaction should produce an auditable record
Remediate before accessing: Risk must be neutralized at the boundary, not detected after the fact
To learn how OPSWAT can help you neutralize removable and peripheral media threats before they reach your critical environment, talk to an expert today.
