I shudder to think how routine may be such activity by Chinese corporations. Imagine sending a not-too-tech-savy sales/marketing dude to China. In the evening he gets 'friended' by a young lady offering a free thumb drive (or herself). How much training are western corporations giving their international staff about high-tech security?
At my job, at least (research at a major government contractor) we all have to undergo annual counterintelligence training. And that's for me, the intern who never leaves the country.
Among other things in the training is the assertion that multiple employees are currently being targeted for espionage and at least a few employees are most likely working for foreign governments. They also warn about accepting gifts and give examples of "spooky" things, like random strangers befriending workers on foreign travel only to reveal that they know way too much about that person.
Training is there in big corporations, maybe not in startups.
I took the Official Counterintelligence Training at a major aerospace contractor in the late 80s. It was bunk. The korean war vet who ran the class gave us some cock-and-bull story about Bulgarians flying ultralights at the state park not too far from the "Main Plant". But everything of merit about our rockets got published in Aviation Week every two years or so. Even material about possible payloads, which was so compartmentalized that we knew next to nothing, maybe a bolt pattern, mass and location of center-of-mass above the bolt pattern.
The "training" was all superstition and cargo cult management by slogan. When you thought about it for a minute or two, nothing they said made any sense.
The first time I took it, we had a video of an ex-KGB guy assuring us that agencies like his previous employer are indeed targeting us. These days, there's no concern about Bulgarians in ultralights, it's all about buying an employee a new car so he'll load up a USB drive with interesting info.
I wish I could be targeted for something like that... I don't even have access to secrets but "they" don't know that, and I could use some extra money.
"How much training are western corporations giving their international staff about high-tech security?"
Everywhere I have worked (public sector, private sector, startup, ISP, defence) there has been scant regard given to security. Anyone who wants to attack a UK-based organisation via its IT is basically at liberty to do so, often through the most old-fashioned of means (password guessing would be fruitful, for example). I have never enjoyed any success, as a sys admin with > 15 years trying, getting people to take security seriously. They still think it won't happen to them, even when you explain to them that when it does, they won't know about it (let alone the danger of honeytraps against specific personnel; lambs to the slaughter afaic). So, yes, it will be routine and lucrative and it's all but encouraged by lax security and dumb optimism almost everywhere.
Fear of this sort of thing is why many larger corporations are locking out USB drives as part of group policy updates. They will never disable autorun, but by gosh, they'll make it so you can't plug any sort of USB device in.
There have been several stories of people tossing trojaned USB "thumb drives" into parking lots at large companies in order to get their payload installed, and it works. This is a fatal flaw of autorun.
