Friday, October 07, 2011


Noah Shachtman at the Danger Room has this disturbing exclusive: the U.S. Air Force drone fleet has been hit by a computer virus.

The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system.

“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

Military network security specialists aren’t sure whether the virus and its so-called “keylogger” payload were introduced intentionally or by accident; it may be a common piece of malware that just happened to make its way into these sensitive networks. The specialists don’t know exactly how far the virus has spread. But they’re sure that the infection has hit both classified and unclassified machines at Creech. That raises the possibility, at least, that secret data may have been captured by the keylogger, and then transmitted over the public internet to someone outside the military chain of command.

It's no secret that UAVs have become a weapon-of-choice in the War on Terror; our expanding fleet of drones (most of them operated and maintained by the USAF) allow intelligence specialists to monitor large stretches of territory for and strike high-value targets. Just last week, a CIA-operated UAV took out Al Qaida bigwig Anwar Awlaki; all told, American UAVs have killed more than 2,000 suspected terrorists in Afghanistan and Pakistan since President Obama took office, according to the Washington Post.

So far, the infection appears limited to Creech, while pilots and sensor operators control dozens of UAVs operating around the world. There is no evidence the virus has spread to the Distributed Common Ground Station (DCGS) facilities which analyze intelligence collected by the drones. While drone operations have received lots of media attention, many Americans are unaware of the huge intel network required to support UAV operations. At places like Langley AFB, VA; Hickam AFB, Hawaii, Beale AFB, California (and others), hundreds of intel specialists monitor, record and decipher data from the drone's on-board sensor suite.

The Air Force hasn't said how the virus found its way into the Ground Control Stations that direct UAV missions. But the most likely culprit is an external drive or some other type of external device that was plugged into A GCS computer, providing an entry point into the network. If information captured by the keylogger program was transmitted to individuals outside DoD, it could provide valuable insights regarding drone operations and the command-and-control network that control them.

As you might expect, this sort of thing isn't supposed to happen. Computers that direct UAV flights (and the intel systems that support them) are part of intranets, separate from the internet. But they remain vulnerable to external viruses and other hazards, through something as simple as a flash drive.

Was it a deliberate attack? The jury's still out on that one, but recent trends are not encouraging. Adversaries are quite aware of U.S. reliance on UAVs, and they're looking for ways to cripple our capabilities in that area. There have been several "infections" of secure networks in recent years, raising concerns about our susceptibility to outside attacks. Coincidence? You decide.


Vigilis said...

"Military network security specialists aren’t sure whether the virus and its so-called “keylogger” payload were introduced intentionally or by accident;..."

Want to bet? No keylogger was inserted by accident, or without the knowledge of the military network security specialists.

The keylogger is for security purposes and the overseers are not allowed to talk about why now, or what for.

Something tells at least one, possibly more CAFB pilots may recently have come under suspicion. There are several possibilities for such suspicions to have come to light.

If my guess is wrong, the keylogger is probably a healthy add-on going forward to thwart subversive activity.

The keystrokes retained by the keylogger have no doubt been analized on the dedicated intranet.

As to sabotage opportunities resulting from the alleged "virus", the security team already conducts hygiene routines to instantly spotlight and wipe intrusions.

If Danger Room were cleared to know all the details, would they be writing such stories - unless the U.S. wanted a cover story out there? Just a thought.

TinkersDam said...

Must disagree, Vigilis- although I agree that heightened vigilance is a good idea. The "keylogger" in question is a piece of malwar designed to steal logins for Facebook games and has a history of spreading via USB drives. It certainly isn't up to the task of migrating to an air-gapped network (such as these systems use), collecting data, then migrating back onto the NIPRnet and "phoning home" with its key logs.