U.S. Strategic Drone Fleet Infected by Stealthy Keylogger Malware

 
 
By Fahmida Y. Rashid  |  Posted 2011-10-08
 
 
 

Computers used to control the drone unmanned aircraft used by the military to carry out military operations have been reportedly infected with malware, according to a report.

A keylogger has infected several computers the pilots use to operate the Predator and Raptor drones in the fleet in missions , Noah Shactman wrote on Wired's Danger Room blog on Oct. 7. The virus hasn't prevented pilots stationed at Creech Air Force Base in Nevada from flying or completing their missions over Afghanistan and elsewhere, Wired reported. The United States military's Host-Based Security System detected the malware two weeks ago and network security administrators have removed the malware.

However, it appears to keep coming back to re-infect systems. After repeated attempts to remove the malware, the technicians used a tool to completely erase and rebuild the systems from scratch. "We keep wiping it off, and it keeps coming back," a source told Wired.


No one appeared to know how the malware got into the system, or what its purpose was. It has thus far infected both classified and unclassified machines and officials are not sure how far the infection has spread. Sources told Wired they believe the malware is "benign," but admitted that didn't know.

"We would hope that they can obtain the security expertise required to isolate and remove the infection, from either inside the Air Force, or from somewhere else. But they don't want people to think they cannot handle it and going -outside' is an admission of guilt," Jon-Louis Heimerl, director of strategic security for Solutionary, told eWEEK.

Even though the sensitive systems and the ones actually controlling the Drone aircraft are not on the Internet, the fact that both classified and unclassified systems have been compromised means information can be funneled across the networks and then leaked online. Sources told Wired they do not believe classified information has not yet been lost or stolen as a result of this infection.

A spokesman for the Air Force's Air Combat Command, which oversees the drone program, said that it doesn't discuss specific vulnerabilities, threats and responses to its computer networks because it could help intruders refine their attacks on military systems.

U.S. armed forces rely on drones to attack and spy on enemies without risking American lives. Since President Obama assumed office, approximately 30 drones controlled by the Central Intelligence Agency have hit targets in Pakistan more than 230 times.

Missiles fired from the pilotless drones have killed more than 2,000 people, including the Sept. 30 killing in Yemen of Anwar Al-Awlaki, an American-born Muslim cleric who was wanted for inciting terrorism attacks on the United States. The attack on Al-Awlaki was part of an antiterrorism surveillance campaign conducted over the southern Arabian Peninsula and the Horn of Africa.

The malware affected Predator and Reaper drones, which are under the Air Force's control and fly over Afghanistan and Iraq. The bulk of the missions are controlled from the Creech air base. Ever since the WikiLeaks data breach, when hundreds of thousands of U.S. diplomatic cables were leaked, the use of removable drives has been restricted, except at Creech and a few other Air Force bases. Crews working with Predator and Reaper used removable drives to load map updates and transport mission videos from one computer to another. It appears the malware is spreading and re-infecting systems through these removable devices.

Drone units at other Air Force bases worldwide have now been ordered to stop using removable drives.

"If the virus came in through a removable drive, it had to come from somewhere else-viruses don't just magically appear," said Heimerl. The fact that the systems keep getting re-infected is another clue that the problem is with the drive management system, as it didn't detect that at least one data storage drive was compromised and that it hasn't been cleaned of malware infection. The military technicians need to fully clean the drone network, the drives as well as the organizational network, which is probably the original source of the infection, according to Heimerl.

Earlier in the week, at a cyber-security summit in New York, Eugene Kaspersky, CEO of Kaspersky Lab, pointed out that cyber-combatants were getting increasingly more sophisticated in their targets and attacks. With computers controlling practically every aspect of daily life, there is a growing risk of a "hi-tech catastrophe" such as attacks on the electric grid happening, according to Kaspersky.

"People are people, they make mistakes," Kaspersky said.

This isn't the first time the drone fleet has been compromised. U.S. forces discovered that Iraqi insurgents had used a software which they'd bought for a mere $26 to capture "days and days and hours and hours" of unencrypted video footage that had been sent from the Reapers and Predators in the air to the troops on the ground.

Rocket Fuel