October 12, 2011
The U.S. Air Force revealed new details Wednesday about the virus that’s been infecting the remote cockpits of its drone fleet — and insisted, despite reports from their own personnel, that the infection was properly and easily contained.
In a statement — the military’s first official, on-the-record acknowledgement of the virus — the Air Force insisted that the malware was “more of a nuisance than an operational threat.” The ability of drone pilots to remotely fly the aircraft from Creech Air Force Base in Nevada “remained secure throughout the incident.”
The armed drone has become America’s weapon and surveillance tool of choice in warzones from Afghanistan to Pakistan to Yemen. So when Danger Room reported on Friday that Creech security specialists had spent the last two weeks fighting off an infection in the drones’ remote cockpits, there was an almost instantaneous media uproar.
It also caught off guard the 24th Air Force, the unit that’s supposed to be in charge of the air service’s cybersecurity, multiple sources involved with Air Force network operations told Danger Room. “When your article came out,” one of those sources said. “it was like, ‘What is this?’”
In its Wednesday statement (.docx), the Air Force said that was flat wrong — that the 24th knew all along.
“On 15 September, 24th AF first detected and subsequently notified Creech AFB regarding the malware,” the service said. “The Air Force then began a forensic process to track the origin of the malware and clean the infected systems.”
The Air Force didn’t say whether the clean-up process had been completed; insiders report that the infection has been particularly difficult to remove, requiring hard drives to be erased and rebuilt.
But the Air Force did provide a few details about the malware. They said it was first noticed on “a stand-alone mission support network using a Windows-based operating system.” And they called it “a credential stealer,” transmitted by portable hard drives. (Security specialists had previously identified it as a program that logged pilots’ keystrokes.) “Our tools and processes detect this type of malware as soon as it appears on the system, preventing further reach,” the Air Force added.
The malware “is routinely used to steal log-in and password data from people who gamble or play games like Mafia Wars online,” noted the Associated Press, relying on the word of an anonymous defense official. That official did not explain why drone crews were playing Mafia Wars or similar games during their overseas missions.
“It’s standard policy not to discuss the operational status of our forces,” Colonel Kathleen Cook, spokesperson for Air Force Space Command, said in the statement. “However, we felt it important to declassify portions of the information associated with this event to ensure the public understands that the detected and quarantined virus posed no threat to our operational mission and that control of our remotely piloted aircraft was never in question.”
“We continue to strengthen our cyber defenses,” she added, “using the latest anti-virus software and other methods to protect Air Force resources and assure our ability to execute Air Force missions.”