The TYREX Files – November 2025 Edition

Top Cybersecurity Stories/News

The cybersecurity highlights of our weeks.

1. Cyber-Espionage: Infected USB Drives Invade European Ports

In mid-November, French authorities uncovered a major cyber-espionage operation targeting several major European ports. Thousands of infected USB drives were discovered circulating in port environments, many cleverly disguised as legitimate shipping documents. Once connected to port systems, these devices deployed malware specifically designed to compromise logistics systems, operational networks, and even air-gapped infrastructure that’s supposed to be isolated from external threats. This incident aligns with a broader pattern documented internationally: European maritime operators have repeatedly been targeted through malware-infected USB sticks distributed across ships and port facilities, confirming that USB-based attack vectors remain highly attractive for state-aligned threat actors. ENISA’s latest Threat Landscape assessment further confirms an alarming increase in cyber-espionage campaigns against logistics, transport, and critical infrastructure across Europe, with removable media continuing to serve as a preferred infiltration method when digital defenses are strong or when systems are deliberately isolated.

Our 2 Cents:

This incident is a perfect reminder: the cloud may handle everything today, but a tiny USB stick can still walk right past your defenses. Firewalls don’t stop someone plugging something in. EDR doesn’t see what happens before the device touches the port. And air-gapped systems? They rely on USB by design. That’s exactly why Tyrex exists—to secure the physical entry point everyone forgets until it’s too late. As long as organizations use removable media (and they do), USB decontamination isn’t optional. It’s the first line of defense. The cloud protects your network. Tyrex protects the moment right before it.

Sources:

• Journal du Geek – French Report
• Supply Chain Brain – Chinese Hackers Targeting European Ships
• ENISA Threat Landscape 2025

2. The Evolving Crisis In Industrial Cyber Security

Industrial cybersecurity is facing an unprecedented crisis. OT (Operational Technology) and ICS (Industrial Control Systems), designed decades ago with little to no consideration for cybersecurity, have now become priority targets for cybercriminals and state-sponsored actors. The report highlights that 70% of industrial organizations have suffered at least one intrusion in the past 12 months, with devastating consequences: production shutdowns, compromised physical safety, and massive financial losses. The problem is exacerbated by IT/OT convergence, which exposes critical systems that were never designed to be connected to the Internet. Aging infrastructure (some dating back to the 80s and 90s) cannot be easily updated or replaced, creating major blind spots in organizations’ defense strategies.

Our 2 Cents:

This is EXACTLY where USB security becomes mission-critical. Those legacy industrial systems from the 80s and 90s? They weren’t designed with network connectivity—they rely heavily on USB devices and removable media for updates, data transfer, and maintenance. You can’t patch a 30-year-old PLC the way you update a laptop, which makes USB-based attacks the perfect vector for compromising OT environments. While everyone focuses on securing the IT/OT convergence at the network level, attackers know the easiest way in is often through a technician’s USB drive used for routine maintenance. One infected USB device can bypass all your fancy network segmentation and firewalls, delivering malware directly to air-gapped systems. The maritime and manufacturing sectors we work with? They’re living this reality every day. USB decontamination isn’t a “nice-to-have” for industrial environments—it’s the frontline defense for systems that can’t be protected any other way.

Source:

• Cybersecurity Intelligence – The Evolving Crisis in Industrial Cyber Security

3. USB Drive Smuggled to Salah Abdeslam in Prison: Three People in Custody

A disturbing case is shaking France: three people have been placed in custody for attempting to smuggle a USB drive to Salah Abdeslam, the terrorist convicted for the 2015 Paris attacks, while he was detained at Fleury-Mérogis prison. The operation, which aimed to transmit sensitive data via this physical device, demonstrates that even in an ultra-secure environment like a high-security prison, USB drives remain a preferred method for bypassing digital surveillance systems. This attempt perfectly illustrates how removable media is used to evade traditional electronic controls. The investigation is working to determine the exact nature of the information contained on the USB drive and the identity of those who orchestrated this operation.

Our 2 Cents:

This real-world case proves a fundamental truth about USB devices: when you want to bypass digital surveillance and network security, you go physical. Even in France’s most secure prison, with all the digital monitoring money can buy, a simple USB drive remains the weapon of choice for covert communication. Why? Because USB devices operate outside traditional cybersecurity controls—no firewall can stop what’s physically handed over. This isn’t just a prison security issue; it’s a stark reminder for every organization: your network security is only as strong as your physical device controls. Whether it’s a terrorist in prison or a disgruntled employee in your facility, USB devices offer a way to exfiltrate data, introduce malware, or communicate covertly while bypassing every digital safeguard you’ve invested in. The lesson? Physical security and cyber security are inseparable, and USB decontamination protocols aren’t paranoia—they’re essential.

Source: 

Le Figaro – USB Drive Smuggled to Salah Abdeslam

AI + Cybersecurity Corner

As we mentioned in our opening, even though Tyrex isn’t directly disrupted by AI in our day-to-day USB decontamination work, AI has undeniably been THE massive cybersecurity trend of 2025. And here’s the thing: it’s no longer just a trend—it’s becoming the reality we’ll all face in 2026. So we did the homework for you. Here’s your curated guide to understanding AI-powered cyber threats.

The Reality Check (Don’t take our word for it. Check by yourself)

• MIT Sloan Report: 80% of ransomware attacks now leverage artificial intelligence (Here)
• TechPrescient Analysis: AI is fundamentally changing the threat landscape with polymorphic malware, deepfake social engineering, and automated vulnerability reconnaissance (Here)

AI-Powered Attacks That Caught Our Attention (Just last month)

• AI Cyberwar in Ukraine: State actors are deploying AI-powered tools for real-time intelligence gathering, automated target identification, and adaptive attack strategies in active conflict zones—a terrifying preview of AI’s role in modern warfare (Here)
• Chinese Hackers Weaponize Anthropic’s Claude: Chinese APT groups used Anthropic’s AI to launch automated cyber espionage campaigns, demonstrating how legitimate AI tools can be repurposed for malicious reconnaissance and data exfiltration (Here)

• EvilAI Malware: Attackers disguised malware as AI productivity tools to infiltrate global organizations, exploiting the AI adoption hype to trick users into downloading malicious software (Here)
• OpenAI Data Breach: A security incident compromised limited personal information of API users through a breach at analytics firm Mixpanel, highlighting vulnerabilities in the AI supply chain (Here)

Emerging Trends We’re Already Seeing

• Shadow AI: Gartner predicts 40% of firms will be hit by security incidents related to Shadow AI—the use of AI tools without IT approval, creating blind spots in security architectures
• API and Cloud Misconfigurations: These continue to be a significant cause of security incidents, especially as AI tools increasingly rely on cloud infrastructure and API integrations
• Synthetic Impersonation Fraud: AI-generated fake identities are being weaponized for sophisticated scams, making traditional identity verification methods obsolete

Resources to Get You Up to Speed

• For CISOs: Key questions you must ask before adopting AI-enabled cyber solutions—a practical framework for evaluating AI security tools (Here)
• Webinar: “Discover the AI Tools Fueling the Next Cybercrime Wave”—essential viewing to understand what attackers are using right now (Here)

Gérard’s Top Cybersecurity Resources

To become a cybersecurity “informed” thought leader.

Google’s Cybersecurity Forecast 2026: The Must-Read Report to Close Out 2025

Google’s latest forecast is essential reading as we head into 2026. Here are the key predictions that matter most—including those directly relevant to our USB security world:

Key Forecasts:

• OT/ICS Environments Remain Prime Targets: Industrial control systems and operational technology will continue to be targeted due to their reliance on legacy systems and limited security upgrades—systems that heavily depend on USB devices for updates and maintenance.
• Supply Chain Attacks Intensify: Physical supply chain compromises, including tampered hardware and infected removable media, will increase as attackers exploit the weakest links in organizational defenses.
• Air-Gapped Systems Under Threat: The report emphasizes growing threats to isolated systems, which ironically makes USB devices—the primary way to interact with air-gapped infrastructure—a critical attack vector.
• Ransomware Groups Targeting Physical Infrastructure: Attackers are shifting focus from pure data theft to disrupting physical operations in manufacturing, maritime, and critical infrastructure sectors.
• Zero Trust Must Include Physical Devices: Google emphasizes that zero trust architectures cannot stop at network boundaries—physical device controls, including USB security, must be part of the strategy.

Our Take:

This report validates everything we’ve been saying: while the industry obsesses over cloud and AI threats, the physical attack surface—especially USB devices—remains dangerously under-protected. Google’s forecast makes it clear: 2026 won’t be about choosing between digital or physical security. It’ll be about integrating both.

Read the full report: Google Cybersecurity Forecast 2026

USBs Gone Wild

This month’s case study

Prison Intelligence Services: When USB Devices Become Intelligence Assets

Following the recent Abdeslam USB smuggling case, we wanted to share a real-world application inspired by actual protocols within France’s prison intelligence services.

The Challenge:

France’s Prison Intelligence Service processes data from prisons to gather intelligence on organized crime, drug trafficking, and terrorism. When USB drives are seized from inmates, they’re potential intelligence goldmines—but also massive security risks. How do you analyze a terrorist’s USB without compromising your entire intelligence infrastructure?

The TYREX Solution:

Before any confiscated USB touches analysis systems used by the Judicial Police, Narcotics Brigade, or counter-terrorism services, it must pass through a TYREX decontamination station. The deployment: approximately 30 kiosks across regional prison facilities, all connected to regional servers for centralized monitoring.

The Process:

1. Discovery: USB found during cell search
2. Isolation: Device secured and brought to TYREX station
3. Analysis: Comprehensive scanning for malware, hidden partitions, firmware exploits
4. Safe Extraction: Clean data transferred to intelligence systems
5. Audit Trail: Every scan logged to regional server

The Impact:

Intelligence services can safely analyze seized devices without risking critical infrastructure. Potential cyberattacks disguised as intelligence assets are neutralized before causing damage. Complete audit trail maintained for legal proceedings.

The Lesson:

If France’s most security-conscious institutions—those dealing with terrorism intelligence—recognize that USB decontamination is non-negotiable, shouldn’t every organization handling sensitive operations implement the same protection?

The Abdeslam case showed the threat. This implementation shows the solution: mandatory physical decontamination before any device touches critical systems.