Our Predator Drones Hacked Again?

The shadow cyber war have actualize. – gAtO first wrote this about Oct. 11,2011 but now it comes back to haunt us again. This time the took down the CIA RQ-170.

On May 31, 2011 Washington moved to classified an attack to essential infrastructure via cyberspace could be as damaging as any kinetic attacks on US soil. Pentagon officials disclosed to the Wall Street Journal that any hacker threatening US security by attacking its nuclear reactors, pipelines or public networks such as mass transport systems. “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” an official said. But they go ahead and hack a top secret CIA/AF drone flight center. These “drones” are some of our most essential tools in our modern offensive cyber or conventional arsenal.

Do we have a retaliatory virus attacks on U.S Predator drones?  

Predator drones hacked in Iraq operations

Are we in a cyber war? If you infect my top secret complex and install an unstoppable key logger that controls my  main offensive warfare capabilities. To perform CIA and U.S. military unmanned drone aircraft operations in Afghanistan, Somalia, Pakistan and other conflict zones. “We keep wiping it off, and it keeps coming back” said one U.S Military source “We think it’s benign. But we just don’t know.” Another military spokesman said to Wired, “We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks“.

The virus was first detected two weeks ago and is thought to be logging every keystroke made as US-based drone pilots remotely fly overseas missions. The drones have not been grounded as military officials claim that confidential information has not been compromised.
As you might expect military officials are attempting to downplay the significance of the computer virus attacks. They state that they do not yet know whether the virus was placed in the drone’s software by a targeted attack or if it is a piece of malware that somehow entered the network by accident. Military officials do admit that they do not know how far the virus has spread throughout the drone network.


IT security field is full of clueless people… A perfect example of a lemon market (Gutmann). Part of the problem is high demand for IT security, and over-reliance on certifications. Demand is even higher for personnel with secret or higher clearance… and it seems that in some cases if a candidate for a position has the clearance, then knowledge, expertise and other such “nonsense” are deemed optional.  A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions… They think it’s “benign”! I bet Stuxnet also seemed pretty “benign” for while.

And they are running GCS on Windows… Yeah, yeah, I am aware of the common criteria EAL for Windows. I have seen a warship’s main computer running on Windows 🙂 How crazy is that? Of course a $26 software causes the problem…

The interesting aspect of this is that the operators are doing what I’ve always predicted American soldiers would do – fighting through the problem. Sure, they’re bringing systems down and rebuilding them, but they’re still operating. This can be both good and bad – good if you need to accomplish the mission but bad because it’s hard to bring down all of the systems at once to prevent cross-infection (I do wonder why they don’t patch the Windows vulnerability – could it be that the SPO didn’t plan for patching?)

The Creech folks are facing the same problem an oil refinery had when nimda hit them. The refinery would have had to shut down at the cost of millions of dollars if they had lost “view” of the process. However, the operator consoles (HMI) were the last source of re-infection. Eventually, they isolated all but one HMI, fixed the isolated systems, and then swapped those for the one that was probably still infected. Since that’s the logical path, I’m sure the Creech folks are trying it – but they apparently have not yet succeeded.

Long ago, in the DARPA IA program, an epidemiologist pointed out the strange anomaly between real-world infections and cyber-world infections. In the real world there is a rapid rise of number of infections until the infection vector is saturated, then either treatment or immunity develops and the number of infections slowly trails off with time to near zero. Cyber-world infections follow a similiar pattern until the trail off stage when the curve maintains a significant value above zero in the tail end. Anyone who monitors firewalls and IDS knows that there are still machines out there somewhere trying to infect others with blaster and nimda and every other major malware.

Once again, we see that key loggers are notoriously difficult to identify and eradicate. By far the most effective way of neutralising the effects of key loggers is techniques that ensure they receive either no data or false data. Unless you track 100% of system changes after each and every session..

We are constantly being attacked from everywhere -by everyone, what one attack vector won’t find, another attack vector will, it becomes a numbers game.
These were directed campaign to get the key-logger install in a secure facility. That’s good Social Engineering. That open’s up another can of worms. You gone tell me it was “Lady Gaga” on a thumb drive again.
Windows 😀 Let’s let the defense boy’s use a PS3 (more secure) to fly these drones, better than a windows box, without a mirror of the OS as a fallback plan. Disaster Recovery Boy’s and girls. It’s becoming a SNL comedy skit, but it ain’t funny D: The last year it’s been all China, that is the question.

I’ll back away from the soapbox now.


One response

  1. Pingback: RQ-170 Sentinel Drone - How Was it Hacked?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: