Throwback Attack: An attack on the DoD leads to Operation Buckshot Yankee

Courtesy: Brett Sayles
Courtesy: Brett Sayles

Cyberattacks around the world have been on the rise; there is no hiding that. According to an FBI Internet Crime Report in 2020, the FBI receives more than 2,000 internet crime complaints per day. But what does that really mean if nothing changes after these attacks? In 2008, the United States Department of Defense (DoD) was infected with malware, giving rise to the defensive response called “Operation Buckshot Yankee.”

In 2008, cybersecurity was on the back burner for a lot of sectors. There have been changes since then, and cybersecurity is more of a priority. One of the reasons the U.S. Cyber Command was created in 2010 was due to this attack against the Department of Defense in 2008. The main objectives of the U.S. Cyber Command are to unify the direction of cyberspace operations, strengthen DoD cyberspace capabilities and raise the understanding of what is going on in the cyber landscape.

How did Operation Buckshot Yankee come to be?

The first indication that something was going awry on the U.S. military’s classified computer network was an undisclosed software trying to send coded messages back to its creator. In this case, it was malware that had to communicate with a master computer for instructions on which files to remove and how to transmit them or else it couldn’t steal any data.

According to a Washington Post article, the Advanced Networks Operations (ANO) team at the National Security Agency (NSA) found that a rogue program had infected a classified network that sheltered important military information, including battle plans used by commanders in Afghanistan and Iraq. This team also deduced that the malware was from a thumb drive, which allowed it to enter the system and start searching for private documents to steal. It was then able to spread by copying itself onto other thumb drives that were used on the already-infected machine, which eventually led to a departmental ban of USB drives from November 2008 to February 2010. The USB ban received a lot of backlash because the military used them for communicating combat imagery and sharing after-action reports.

It took 14 months from the time of detection to the removal of the malware from the network. The government’s top cyber experts couldn’t tell who created the program or why, although they suspected Chinese or Russian hackers were behind it because they used the same code that made up Agent.btz, the malware that was used in the attack against the military private network, in previous attacks. However, they did not find any definitive proof implicating either country.

According to the same Washington Post article, “Pentagon officials consider the incident, discovered in October 2008, to be the most serious breach of the U.S. military’s classified computer systems.” Operation Buckshot Yankee was the response to this attack. The military started upgrading their computer defenses and preparing for offensive operations. The NSA and the military started investigating how the infection started and who was behind the attack. They collected thousands of infected USB drives to slow down the infection, and by early 2009, new infections had dwindled.

Where did the Agent.btz malware come from?

The malware used in the DoD attack had been circulating on the internet for months and was created in 2006, according to a CNBC article quoting chief research officer at F-Secure Mikko Hypponen. Hypponen named the malware Agent.btz when he found it on military computers of a NATO government in June 2008. Then, in October 2008, NSA analysts found the malware on the DoD’s classified network. The malware’s spread didn’t stop there. It also infected the Joint Worldwide Intelligence Communication System that carries private information to U.S. officials worldwide.

According to a Council on Foreign Relations post, Agent.btz was made to steal documents from classified and unclassified U.S. military networks. A flash drive infected with Agent.btz was reportedly put into a laptop at a U.S. military base in the Middle East, and then the worm spread undetected to U.S. computers at the Department of Defense and in combat zones.

Agent.btz turned out to be a variant of the SillyFDC worm that copies itself from removable drives to computers and back to the drives again. Depending on how the worm is configured, it has the ability to scan computers for data, open backdoors and send through those backdoors to a remote command and control server. It was later discovered that Turla was also in the same family as Agent.btz.

The lasting effects of Operation Buckshot Yankee

The vulnerabilities that Agent.btz exposed, both software vulnerabilities and a general breakdown of communication and ownership of cybersecurity, ultimately led to the creation of the U.S. Cyber Command, a military command with the mission of defending Department of Defense networks and conducting offensive cyber operations for the U.S. military.

According to a Netsurion post, Gen. Kevin Chilton of U.S. Strategic Command said, “I asked simple questions like how many computers do we have on the network in various flavor, what’s their configuration, and I couldn’t get an answer in over a month.” As a result, network defense became a higher priority issue in the armed forces. “A year ago, cyberspace was not commanders’ business. Cyberspace was the sys-admin guy’s business or someone in your outer office when there’s a problem with machines business,” Chilton noted. “Today, we’ve seen the results of this command-level focus, senior-level focus.”




Keep your finger on the pulse of top industry news