The malware that infected the system that controls the United States’ fleet of unmanned aircraft was never a real threat, just a “nuisance,” according to the Air Force.
Reports emerged last week of a mysterious keylogger that was found on the systems used by Air Force pilots to communicate with the Predator and Reaper drones. The program was persistent and kept returning despite repeated attempts to remove it. While the Air Force does not routinely discuss operational status, the Air Force Space Command issued a statement Oct. 12 to “correct recent reporting.”
It was previously reported that the virus may have removed data from classified and unclassified networks. Wired.com claimed senior Air Force officials were unaware of the breach until the news reports broke online. The statement contradicted the claim, saying the military had been aware of the infection all along.
“We felt it important to declassify portions of the information associated with this event to ensure the public understands that the detected and quarantined virus posed no threat to our operational mission and that control of our remotely piloted aircraft was never in question,” said Col. Kathleen Cook, spokesperson for Air Force Space Command.
The Air Force first detected malware on portable hard drives that were approved for use at Creech Air Force Base in Nevada for transferring information between systems on Sept. 15. The 24th Air Force, stationed at Creech, detected and isolated the software program “using standard tools and processes for monitoring and protecting” the systems, according to the statement.
The Air Force “began a forensic process” to track the origin of the malware and clean infected systems. However, the statements didn’t mention claims in earlier news reports that Creech’s IT staff reportedly removed the malware from its systems, only to have it return. Nor did the statement say whether the clean-up process had completed.
The broader concern is how did the infection happen in the first place and how do we prevent it from happening again, according to Cliff Unger, director of public sector initiatives for Belkin. It is not clear from the information available what measures are being taken or not taken, Unger told eWEEK.
“If the virus came in through a removable drive, it had to come from somewhere else-viruses don’t just magically appear,” Jon-Louis Heimerl, director of strategic security at Solutionary, told eWEEK.
Detected running on a Windows-based, stand-alone mission-support network, the infected machine was part of the ground control system that supports Remotely Piloted Aircraft (RPA) operations, according to the Air Force. The system is completely separate from the actual flight control system that the Air Force pilots use to fly the drones.
“The ability of the RPA pilots to safely fly these aircraft remained secure throughout the incident,” the Air Force said.
The fact that it got on a siloed, isolated and secure system is “of paramount concern,” Unger said. The Air Force is trying to assure the public there’s no risk of data loss, or of a threat, but the fact remains that regardless of what the system does, there needs to be proper hygiene, he said.
The Air Force also clarified that the malware was not a keylogger, but a “credential stealer” routinely found on computer networks. It is not designed to transmit data or video, nor can it corrupt data, files or programs. An anonymous official told the Associated Press the malware was “routinely used to steal log-in and password data” from online games such as Mafia Wars and gambling sites.
It doesn’t matter what the malware does; what does matter is that it got on a secured system in the first place, according to Unger.
“Our tools and processes detect this type of malware as soon as it appears on the system, preventing further reach,” according to the Air Force, adding that it will “continue to strengthen our cyber defenses” with updates to its antivirus software and other methods.
From an IT standpoint, organizations generally don’t want any rogue software on the system, Unger said, noting that even the most “innocuous” program can take up system resources. It is important to maintain clean cyber-hygiene and keep systems and networks clean, according to Unger.
“We are fortunate it didn’t have much of an impact,” Unger said.