Wired is running a story on computer virus that has affected the United States’ fleet of Predator and Reaper drones. The infection apparently is logging keystrokes of the pilots while the drones are in flight conducting strategic missions over the country’s warzones. The infections are reportedly particularly persistent, with reports of reinfection shortly after removal mentioned within the article.
“The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system.”
The United States’ military relies extensively on its drone operation and supporting infrastructure for attack and spy operations. Those operations have increased in recent years and it is likely to at a minimum sustain if not increase given the centralized efficiencies they provide. This is not without risks however and as noted in the article:
But despite their widespread use, the drone systems are known to have security flaws. Many Reapers and Predators don’t encrypt the video they transmit to American troops on the ground. In the summer of 2009, U.S. forces discovered “days and days and hours and hours” of the drone footage on the laptops of Iraqi insurgents. A $26 piece of software allowed the militants to capture the video.
Draws a pretty interesting picture doesn’t it? Whether it was introduced intentionally, or some sort of breach has occurred, the matter appears to be quite serious. As a matter of statement on the nature of military systems, it indicates a potential flaw and a foothold vector for something more malicious to take place at some point in time. It is rather significant however that the infection has been detected, meaning that contingency response can be executed.
Efforts to remove the virus from affected systems have pretty much had to resort to destructive remediation methods at this point.
“Eventually, the technicians had to use a software tool called BCWipe to completely erase the GCS’ internal hard drives. “That meant rebuilding them from scratch” — a time-consuming effort.”
With little outside knowledge of the infection, it can be casually estimated that the type of infection taking place here is a type of root kit: a type of malicious software that is designed to hide its presence during typical operation and can be designed to attack a computer system on a number of different levels. In this case, with the hard drive and keylogging being the focus, it is likely that the whatever-virus is a hybrid type of infection, potentially attacking the hardware, user-mode, and kernel levels of the target, rendering the image, drivers, or low-level drive configurations in an infected state.
This latest development echoes the Stuxnet and DOD contractor compromises that are indicators of a growing global cybersecurity warfare environment. Whether these latest infections are truly malicious however remains to be seen. In the meantime, expect a swift response to this condition and remediation to follow.