There’s something deeply wrong at Creech Air Force Base, the notorious home of America’s drone program, where pilots remotely order US Reaper and Predator drones to unleash destructive missile strikes on unsuspecting villagers in Yemen, Libya, Iraq, Syria, Afghanistan and other war zones.
Less than a week after the Department of Homeland Security advised all federal agencies using anti-virus software created by Kaspersky Labs to remove the programs from their systems immediately, Ars Technica reports that two weeks ago the Defense Information Systems Agency detected mysterious spyware embedded in the drone “cockpits” – the control stations that pilots use to control the deadly machines.
Investigators have been unable to determine the virus’s provenance, or even if it was intentionally introduced to the drone systems, or the result of an accidental infection. But perhaps the virus’s most perplexing feature is its passivity. Instead of hastening away reams of classified information, it has simply logged keystrokes.
More curious still, the virus has resisted all attempts to remove it from the Air Force’s systems.
The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the US military’s most important weapons system.
“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”
Military network security specialists aren’t sure whether the virus and its so-called “keylogger” payload were introduced intentionally or by accident; it may be a common piece of malware that just happened to make its way into these sensitive networks. The specialists don’t know exactly how far the virus has spread. But they’re sure that the infection has hit both classified and unclassified machines at Creech. That raises the possibility, at least, that secret data may have been captured by the keylogger, and then transmitted over the public internet to someone outside the military chain of command.
As Ars notes, drones have become America’s weapon of choice for waging stealth warfare across the Middle East and Africa, a fact that was underlined by the killing of four US green berets in Niger earlier this week. The military advisers were serving at a waystation for American drones that were used to carry out attacks on nearby Al Qaeda affiliates.
Drones have become America’s tool of choice in both its conventional and shadow wars, allowing US forces to attack targets and spy on its foes without risking American lives. Since President Obama assumed office, a fleet of approximately 30 CIA-directed drones have hit targets in Pakistan more than 230 times; all told, these drones have killed more than 2,000 suspected militants and civilians, according to the Washington Post. More than 150 additional Predator and Reaper drones, under US Air Force control, watch over the fighting in Afghanistan and Iraq. American military drones struck 92 times in Libya between mid-April and late August. And late last month, an American drone killed top terrorist Anwar al-Awlaki — part of an escalating unmanned air assault in the Horn of Africa and southern Arabian peninsula.
And while they represent America’s most sophisticated weaponry in the never-ending war on terror, the drone program has well-known security flaws. Last fall, the US Air Force investigated a secure network outage in early September at Creech. Around the time of the outage, there were three incidences of drones striking three unintended targets. The Air Force said it was just a coincidence.
But despite their widespread use, the drone systems are known to have security flaws. Many Reapers and Predators don’t encrypt the video they transmit to American troops on the ground. In the summer of 2009, US forces discovered “days and days and hours and hours” of the drone footage on the laptops of Iraqi insurgents. A $26 piece of software allowed the militants to capture the video.
Authorities believe the virus was spread by the use of remote drives used by technicians to upload maps and other data to the drone piloting systems, which are “air gapped” from the rest of the Air Force’s systems.
Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.
But given the hysteria surrounding Kaspersky’s software allegedly being used as a tool for espionage by the Russian government, how long until this breach is connected with a broader narrative about Russian hackers trying to destabilize American society?
Or, worse – how much longer until a malicious actor manages to seize control of America’s drone program and harness its destructive capabilities for its own ends?