A formerly classified 2008 cyberattack, termed the most significant breach of American military computers ever, began with an infected thumb drive, a top Pentagon official revealed this week in a magazine article.
U.S Deputy Defense Secretary William Lynn said in an essay published Wednesday in Foreign Affairs magazine that the attack began when an infected flash drive was inserted into a U.S. military laptop at a base in the Middle East.
The drive had been infected with malware that was placed there by a foreign spy agency, Lynn said. The malicious code uploaded itself onto a U.S. Central Command network, then spread undetected on classified and unclassified systems, allowing attackers to transfer data out of the network to servers under foreign control.
“It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” Lynn wrote.
The incident served as a “wake-up call” and marked a turning point in U.S. cyber defense strategy, leading to a Pentagon operation to counter the attack, known as Operation Buckshot Yankee, he said.
J.R. Reagan, public sector cybersecurity leader at Deloitte Consulting, told SCMagazineUS.com on Thursday that the Department of Defense should be applauded for sharing this information, which could serve as a learning opportunity for others, including those in the private sector.
“This should not be viewed as the bad guys won and black eye for security,” he said. “There is an opportunity to learn from an event such as this.”
Others believe the incident is telling of poor security practices in place.
“I am very pleased to see such a coordinated effort but this is just the first step in a long journey,” Chet Wisniewski, senior security adviser at anti-virus firm Sophos, wrote in a blog post Wednesday in reaction to the Lynn’s essay, which he called a public relations move meant to promote the Obama administration’s recent cybersecurity initiatives.
Moreover, the Pentagon’s focus on cybersecurity is “embarrassingly long overdue,” Wisniewski said.
The variant of the SillyFDC malware that spread through military networks has been detected by anti-virus companies since at least 2007, he added.
“Was the Pentagon really so woefully deficient in their practices that off-the-shelf malware brought sensitive systems to their knees?” Wisniewski wrote. “The implication is that computers and personnel responsible for our national security were not running up-to-date protection, that removable devices were being used recklessly and sensitive information was unencrypted.”
Further, Wisniewski said Lynn’s claim that a foreign adversary planted the malware on the drive is “dubious,” questioning if a targeted attack from a foreign government would really use such common malware.
Lynn’s revelations now shed light on the military’s announced ban on USB drives in 2008.
At the time, reports revealed that the U.S. Department of Defense banned all removable media devices because a variant of the SillyFDC malware was targeting thumb drives and other removable media and spreading through military networks. In February, however, the ban was partially lifted, allowing removable media devices to be used on military networks in certain circumstances.
Meanwhile, the intrusion was not the only successful penetration into military networks, Lynn said. The frequency and sophistication of intrusions has “increased exponentially” over the past 10 years. Moreover, each day, U.S. military networks are probed thousands of times and scanned millions of times, he said.
“Adversaries have acquired thousands of files from U.S. networks and from the networks of U.S. allies and industry partners, including weapons blueprints, operational plans, and surveillance data,” Lynn wrote in the article.
To counter the growing cyberthreat, the United States has built “layered and robust” defenses around military networks, he added. The new U.S. Cyber Command is working to integrate cyber defense operations across the military. In addition, the Pentagon is working with the Department of Homeland security to protect U.S. government and critical infrastructure networks.