it sounds like this was a multi-stage attack…compromising a production non-airgapped internal system and using that to create the USB payload and later exfiltration. That’s pretty cool. The mule who brought the infected USB into the air-gapped space was likely none the wiser…the media had been written by them, to their own USB, and probably even hardware encrypted at rest (something like an Apricorn).
Yeah, that’s pretty damn impressive.