In October, the major news outlets announced that the piloting systems used by unmanned recon drones in Afghanistan and other nearby countries was compromised by a virus capable of recording keystrokes or user authentication information. The Air Force followed up with a press release that this virus was only a credential stealer, and was not designed to transmit or corrupt data, and that the systems were completely disconnected from the internet and that the malware was introduced through removable media.
The following article is speculation. Its purpose is to highlight important security practices by illustrating possible links between the captured drone and a virus infection which occurred two months prior to the drone's capture. The author has no knowledge beyond what has been officially published.
I'd like to throw up a red flag here. Credential stealers are traditionally programmed with a "call home" feature to transmit the stolen credentials to their creator. Why would a credential stealer steal credentials and then only store them locally?
Flash forward to the events of the past week, in which a United States stealth drone was captured intact by Iran.
Iran even claims they were able to control the drone remotely. This is somewhat disturbing since the drone does not require an outside signal to fly or navigate.
Based upon the available information, there are multiple possibilities linking the October virus infection with the drone lost 2 months later...
- The virus was not a credential stealer at all, and its true purpose was to alter the flight path of specific drones, similar to how Stuxnet only targeted industrial control systems capable of operating centrifuges.
- The virus was a credential stealer, and stored credentials locally to be retrieved later. Although the infected systems were not the piloting systems, it is very likely the pilots may have used the same login credentials on the piloting systems. This is a disturbing possibility, as it would mean that a member of the military, or a military contractor, has engaged directly in espionage.
- The virus was an intentional distraction, designed to shift the IT staff's focus from monitoring the security of the drones to the local systems, while another attack was performed covertly against the drones themselves
- And finally, the virus infection could have been completely unrelated, and simply a coincidence.
Like all security breaches, this incident should be viewed as a learning opportunity. So what lessons can be learned from this incident?
- Treat all removable media such as USB drives with suspicion, even your own. Perform a low-level format after use, and always scan the drive for viruses before and after use. Examine the drive manually for any unexpected files, making sure to view hidden and protected operating system files.
- Always be aware of the possibility of an insider threat. Look for the warning signs.
- Implement application whitelisting on sensitive systems, and only disable the whitelist while performing regular security updates.
- Don't always believe your first analysis of a piece of unknown malware. It may have hidden features designed to evade detection. Stuxnet is an excellent example.
- Don't let your investigation of an ongoing security incident result in less monitoring for the rest of your network. Bring in outside help to handle the extra work load if you need to.
- Finally, as a colleague once told me, correlation does not mean causation. It is very possible that two similar incidents may be completely unrelated, despite their close proximity to each other.
As for the original question, did a virus infection result in Iran acquiring a United States drone? We may find out the full story eventually, but it may take 25 years.
Data Security and Privacy: A Holistic Approach - A guide to securing sensitive data, online or offline
Operation Cleanup - A guide to removing malware infections