Air Force Drones Were Hit by Online Gaming Malware

Tuesday, October 18, 2011



The malware that hit Creech Air Force Base was a credential stealer and not a keylogger as originally thought, and the drone remote piloted computers were never at risk according to a media release from the Air Force.

The report claims that the malware was detected on September 15th and isolated by the 24th Air Force using standard monitoring and protection procedures. The malware was also quarantined to prevent infection of additional systems:

"The malware was detected on a stand-alone mission support network using a Windows-based operating system. The malware in question is a credential stealer, not a keylogger, found routinely on computer networks and is considered more of a nuisance than an operational threat.  It is not designed to transmit data or video, nor is it designed to corrupt data, files or programs on the infected computer.  Our tools and processes detect this type of malware as soon as it appears on the system, preventing further reach."

The report also states that the ground control system was infected, which is separate from the machines that are used to fly the UAV’s. The UAV pilot systems were not at risk:

"The infected computers were part of the ground control system that supports RPA operations. The ground system is separate from the flight control system Air Force pilots use to fly the aircraft remotely; the ability of the RPA pilots to safely fly these aircraft remained secure throughout the incident."

Apparently, the UAV drone system were not the target of the malware. Instead, according to an anonymous defense official, the malware discovered was the kind that is “routinely used to steal log-in and password data from people who gamble or play games like Mafia Wars online.”

The next question would be, is online gaming and surfing allowed on the systems in this area? It is common for tech savvy employees to use ssh tunneling to bypass restrictive outbound firewall policies.

It is a good thing that the malware was stopped, but with the military’s increasing dependence on drone systems this “near miss” really has to be taken to heart.


Possibly Related Articles:
Viruses & Malware
malware Defense Government Military Headlines Gaming Drone UAV
Post Rating I Like this!
Kevin McAleavey The malware involved here is most widely known by the name "AGENT.KGB" since that's the letter code most widely used in naming it. It's a Chinese-based multiple game credential stealing trojan which was often distributed through email and through social networking spam almost five years ago. That it still exists is nothing short of amazing, but as far as the drones are concerned, not critical.

Most likely path of infection was through USB sticks between machines which bypassed the "air gap."
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.