Drone fleet keylogger infection: How’d it happen?

As you’ve probably heard by now, a rather tenacious keylogger has reportedly infected an Air Force unmanned aerial vehicle command center at the Creech Air Force Base in Nevada.

These unmanned drones have become increasingly important to U.S. military efforts, used to both gather intelligence and to launch attacks, such as the controversial killing of U.S.-born militant cleric Anwar al-Awlaki last month. One New York Times report states that the Pentagon has roughly 7,000 aerial drones currently, up from less than 50 a decade ago, and that Congress seeks nearly $5 billion for drones in next year’s budget.

According to reports, the keylogger was detected about two weeks ago by the military’s own intrusion prevention systems and host-based firewall. While the military has tried to remove the suspected malware, it keeps returning.

“The first thing I thought when I saw this was that it was a keylogger on a ground-based system, not on the drones itself, which is a much less scarier scenario than having a drone system, which could be theoretically disconnected from control at any time, infected with code,” says Chris Wysopal, computer security expert and CTO of application security firm Veracode.

CSO’s Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

With no clear answers yet as to how the keylogger managed to finagle its way onto sensitive and classified systems, questions remain about the code’s genesis and intent.

Dave Lewis, security researcher and contributing analyst at the security research firm Securosis, says he “has his money on a contractor” as the culprit. Lewis says the challenge there is that contractors are trusted advisors, often with minimal background checks, who are more apt to break policy and use systems not managed directly by the government. “They have the means and the opportunity,” says Lewis.

Others, such as Gartner security and compliance research director Ian Glazer, wonder if the keylogger could be the military’s own software, placed on the systems as someone’s idea of how to conduct “oversight” on the systems.

Computing expert Miles Fidelman posted his thoughts along similar lines on a popular security mailing list: “After seeing this, from a few sources, I’m reminded that there are a couple of vendors who’ve been selling the Defense Department security monitoring packages that are essentially rootkits that do, among other things, key logging,” he wrote. “I kind of wonder if the virus that folks are fighting is something that some other part of DoD deployed intentionally.”

Others speculate that the infection vector most likely came in through the mistakes traditional users may make, such as plugging in an infected removable drive, or surfing to the wrong website.

“Just because classified systems are air gapped doesn’t mean that people aren’t making the mistake of plugging in USB drives and doing other things they shouldn’t,” says Wysopal. Also, it’s possible for these types of systems to become infected during upgrades and system updates. “If it’s custom code, traditional scanning of storage media may not detect it. Essentially there are many ways for this type of thing to happen, despite the systems being on relatively controlled networks,” he says.

Get your morning news fix with the daily Salted Hash e-newsletter! Sign up today.

George V. Hulme writes about security and technology from his home in Minneapolis. The first and last time he touched an unmanned flying machine was in the 1970s, when he flew the radio controlled airplane he got for his birthday into the side of his grandparent’s house. You can also often find him ranting about malware and anything that flies into his mind on Twitter, @georgevhulme.