You have probably heard by now that a persistent keylogging virus has infected Air Force drone ground control systems at Creech Air Force Base in Nevada. But just how serious is this, and how did the machines get infected?
Air Force Drones, called unmanned aerial vehicles or UAV’s for short, flying worldwide are piloted remotely. So a UAV pilot in Nevada could be controlling a drone flying in Afghanistan or Iraq. The drones fly in a theater of operation and stream live video back to the pilot. Once a target is found and verified, the pilot can engage and destroy the target with missiles. Air Force pilots at Creech fly the MQ-1 Predator and MQ-9 Reaper drones.
Apparently, the virus was detected about two weeks ago by the military’s Host Based Security System (HBSS). The HBSS baseline is a flexible, commercial-off-the-shelf (COTS)-based application. It monitors, detects, and counters against known cyber-threats to Department of Defense (DoD) Enterprise. The system is managed by local administrators and configured to address known exploit traffic using an Intrusion Prevention System (IPS) and host firewall.
It has been reported in the past that viruses have somehow “jumped” from unsecure to secure DoD systems, but is this the case with the drone infection? No one knows for sure yet, but apparently external hard drives are used to upload maps to the drones and to share images retrieved from missions. The infection could have come from one of these, so the Air Force has put a hold on using the drives.
The virus has proven very difficult to remove, and infected machines have had to be wiped and re-installed. Which probably isn’t a bad thing, because something that persistent may have additional functions or features that were not detected.
Any infection of military systems is a serious issue. This could have just been a virus that transferred over from unsecured systems, or with the efficiency of drone strikes, they could have been the intended target of the malware all along. Only time will tell.
Keyloggers at some point connect back to the attacker to dump the data that has been collected. Rest assured, this virus will be analyzed and the source of the attacker will be known. That is, if they don’t know already.