Highlights
– US military officials believe that recent malware attacks on Department of Defense computers may have originated in Russia
– Military officials ban the use of removable media devices to help prevent the spread of a computer worm
– Ensuring Department of Defense computers are free of computer viruses and worms will be costly and time consuming
The President of the United States (US) and the Secretary of Defense at the Department of Defense (DoD) received a special briefing from senior military leaders last week following a severe and widespread cyber-attack on DoD computers that military officials believe originated in Russia.
Officials stated that the attacks struck computer networks within the US Central Command, the headquarters that oversees US military operations in Iraq and Afghanistan, and affected computers in combat zones. Additionally, military officials investigating the scope of the attacks discovered that the attacks had penetrated at least one well guarded classified network.
Agent.btz Worm
Initial reports that the DoD was dealing with a network attack came after the Pentagon released details two weeks ago of a computer worm, a self-replicating computer program, known as agent.btz that was spreading itself via external Universal Serial Bus (USB) flash drives. The attack prompted officials to ban the use of USB flash drives across all branches of the military. Military electronics experts have not determined the exact source or a possible motive of the attacks. Further, officials could not state whether the malicious program was created by an individual hacker or if the Russian government may have had some involvement.
While military investigators piece together the digital clues in an effort discover how widespread the intrusion has become and to pinpoint those responsible for the attacks, the US Strategic Command, which oversees the military’s cyberspace defenses, has raised the security level for its so-called information operations condition, INFOCON. INFOCON is a threat level system used by the US military to defend against a computer attack. The heightened security level establishes enhanced security measures on all of the military’s computer networks.
The DoD receives millions of scans and subsequent breaching attempts into its computer networks each day, but the latest USB-based malware attacks represent a new attack vector that is rapidly growing, and often more successful. Computer viruses and worms infecting removable storage media outside of a protected network can circumvent external network defense barriers – firewalls – when the media is plugged into a computer inside a governmental information technology (IT) network. According to an April 2008 report release by the computer security vendor Symantec, executable file sharing (the infection method employed by agent.btz worm) was the most common means of malware propagation in the second half of 2007. The report analyzed global Internet security threats from July 2007 to December 2007, and found that unscrupulous computer programmers creating viruses and worms are designing their malicious programs to copy themselves to removable media such as USB flash drives. On November 20, 2008, the United States Computer Emergency Readiness Team (US-CERT) issued an alert on its “current activities” web page outlining the increase in malicious code propagating via USB flash drive devices. In the near to mid-term, we expect to see a continual increase in the development and deployment of sophisticated viruses and worms that propagate via removable media, due in large part to the increasingly widespread use of devices such as USB flash drives.
Computer Worm Spreads Rapidly
The computer worm agent.btz, a variation of the “SillyFDC” worm, has been rapidly planting itself onto DoD computer systems connected to the classified SIPR and unclassified NIPR networks. The large number of infections prompted the commander of the US Strategic Command to issue a recent internal memo to all armed forces members banning all removable media on DoD computers. SillyFDC has been infecting computer systems worldwide since July 2005, and its various permutation are considered variants of the W32.Silly family of worms that spread by copying themselves to removable media and may download other malicious applications.
The code within the Agent.btz worm has the capability of downloading additional malicious applications such as keylogging software (a method of capturing and recording user keystrokes), password-siphoning spyware or botnet agents (a collection of software robots, or bots, that run autonomously and automatically) onto compromised machines thereby making the program more dangerous to the military’s operations and sensitive information. In the near-term, it will be important for DoD IT experts to determine how many machines are currently infected with the worm and bring them offline before the program has an opportunity to pass sensitive information to unknown individuals or foreign governments.
Cleanup Process Will Be Costly And Time Consuming
There are approximately 17 million computers apart of the DoD Global Information Grid (GIG) and the process involved with discovering infected computer systems and properly cleaning them is going to require significant resources to be redirected within the DOD.
In the internal memo sent to all US military personnel, officials stated that government security teams “will be conducting daily scans and running custom scripts on NIPRNET and SIPRNET to ensure the commercial malware has not be introduced.” Discovery of any malware would result in the opening of a security incident report and subsequent investigation.
Soldiers in Iraq and Afghanistan have relied upon USB flash drives as mean of storing and transferring large files between individuals and computer systems. Network bandwidth, the transmission capacity of a computer network, is often scarce on the battlefield, and the networks themselves are often considered unreliable which is why many soldiers use the high capacity storage devices. In the near-term, military personnel will have to seek alternative methods to store and share information and security experts will need to continue to develop software, hardware and protocols designed to rapidly detect and mitigate the spread of malicious software on DoD computer networks.