A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones.
The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system.
“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”
Military network security specialists aren’t sure whether the virus and its so-called “keylogger” payload were introduced intentionally or by accident; it may be a common piece of malware that just happened to make its way into these sensitive networks. The specialists don’t know exactly how far the virus has spread. But they’re sure that the infection has hit both classified and unclassified machines at Creech. That raises the possibility, at least, that secret data may have been captured by the keylogger, and then transmitted over the public internet to someone outside the military chain of command.
Officials at Creech Air Force Base in Nevada knew for two weeks about a virus infecting the drone “cockpits” there. But they kept the information about the infection to themselves — leaving the unit that’s supposed to serve as the Air Force’s cybersecurity specialists in the dark. The network defenders at the 24th Air Force learned of the virus by reading about it in Danger Room.
The virus, which records the keystrokes of remote pilots as their drones fly over places like Afghanistan, is now receiving attention at the highest levels; the four-star general who oversees the Air Force’s networks was briefed on the infection this morning. But for weeks, it stayed (you will pardon the expression) below the radar: a local problem that local network administrators were determined to fix on their own.
“It was not highlighted to us,” says a source involved with Air Force network operations. “When your article came out, it was like, ‘What is this?’”
The U.S. Air Force revealed new details Wednesday about the virus that’s been infecting the remote cockpits of its drone fleet — and insisted, despite reports from their own personnel, that the infection was properly and easily contained.
In a statement — the military’s first official, on-the-record acknowledgement of the virus — the Air Force insisted that the malware was “more of a nuisance than an operational threat.” The ability of drone pilots to remotely fly the aircraft from Creech Air Force Base in Nevada “remained secure throughout the incident.”
The armed drone has become America’s weapon and surveillance tool of choice in warzones from Afghanistan to Pakistan to Yemen. So when Danger Room reported on Friday that Creech security specialists had spent the last two weeks fighting off an infection in the drones’ remote cockpits, there was an almost instantaneous media uproar.
It also caught off guard the 24th Air Force, the unit that’s supposed to be in charge of the air service’s cybersecurity, multiple sources involved with Air Force network operations told Danger Room. “When your article came out,” one of those sources said. “it was like, ‘What is this?’”
In its Wednesday statement (.docx), the Air Force said that was flat wrong — that the 24th knew all along.
“On 15 September, 24th AF first detected and subsequently notified Creech AFB regarding the malware,” the service said. “The Air Force then began a forensic process to track the origin of the malware and clean the infected systems.”
The Air Force didn’t say whether the clean-up process had been completed; insiders report that the infection has been particularly difficult to remove, requiring hard drives to be erased and rebuilt.
But the Air Force did provide a few details about the malware. They said it was first noticed on “a stand-alone mission support network using a Windows-based operating system.” And they called it “a credential stealer,” transmitted by portable hard drives. (Security specialists had previously identified it as a program that logged pilots’ keystrokes.) “Our tools and processes detect this type of malware as soon as it appears on the system, preventing further reach,” the Air Force added.
The malware “is routinely used to steal log-in and password data from people who gamble or play games like Mafia Wars online,” noted the Associated Press, relying on the word of an anonymous defense official. That official did not explain why drone crews were playing Mafia Wars or similar games during their overseas missions.
“It’s standard policy not to discuss the operational status of our forces,” Colonel Kathleen Cook, spokesperson for Air Force Space Command, said in the statement. “However, we felt it important to declassify portions of the information associated with this event to ensure the public understands that the detected and quarantined virus posed no threat to our operational mission and that control of our remotely piloted aircraft was never in question.”
“We continue to strengthen our cyber defenses,” she added, “using the latest anti-virus software and other methods to protect Air Force resources and assure our ability to execute Air Force missions.”
Turns out the virus can be traced back to gaming keylogger that was transferred from a USB drive.