Close this search box.

Throwback Attack: Keylogging virus infects U.S. drone fleet

Image courtesy: Brett Sayles
Image courtesy: Brett Sayles

Whether we like it or not, military systems are an important part of establishing authority and creating stability across the world. This makes it imperative that those systems are thoroughly protected from threat actors. Unfortunately, government entities have struggled with cybersecurity, with the White House and the Department of Defense falling victim to attacks by their own American citizens.

In 2011, a fleet of U.S. Predator and Reaper drones were hacked, and threat actors were able to log every keystroke from the operators. These drones were responsible for flying over Afghanistan and other areas. While there was no apparent evidence of damage — or of who executed the attack — the Air Force base was unable to get the keylogging malware off the system. While this attack didn’t cause significant damage, cyberattacks on military targets, like a drone fleet, can have far-reaching implications on the global order.

What is keylogging, and why is it scary?

Sophos, an antivirus company, defines keylogging as a form of spyware that tracks the keystrokes being inputted by an unsuspecting user. While this may sound illegal, it isn’t. According to Sophos, “They do have legitimate, useful applications. For example, keyloggers are often used by IT departments to troubleshoot problems and systems. Also, they can keep an eye on employee activities.” Keylogging can also be used to track progress of projects and create backups to files while they’re being written or coded.

Keylogging is integrated in two different ways: physically by plugging a keyboard into a device and that device into the computer or via software designed to plague an unsuspecting victim. This attack on the U.S. drones occurred via the latter method.

This can be scary because a person could be getting keylogged at any moment without knowing it.

Threat actor hacks U.S. Air Force drones

Initally, the keylogging malware was detected by the Creech Air Force Base’s host-based security system. The information technology (IT) team tried to figure out the intentions of the attack, as well as how to get the keylogging software off of their drone fleet. However, when they would try and clear out the malware, it would come back. Even though there is no evidence of data being stolen, it doesn’t mean that it hasn’t happened.

According to Wired, “the technicians had to use a software tool called BCWipe to completely erase the GCS’ [ground control station] internal hard drives.” This meant the internal hard drives had to be completely rebuilt from scratch.

Even though drones have become a common weapon of choice for the military, especially since the Obama administration, the security around them is flawed, with the Reaper and Predator drones not encrypting the video they transmit. In the same Wired article, the author notes that, “U.S. forces discovered ‘days and days and hours and hours’ of the drone footage on the laptops of Iraqi insurgents.”

How do threat actors get access in the first place?

According to a CNN article, “None of the remote cockpits [were] supposed to be connected to the public internet. Which means they [were] supposed to be largely immune to viruses and other network security threats.” Much like other U.S. government cybersecurity tactics, the Creech Air Force Base used an air-gap system as a primary means of cybersecurity. An air gap is a closed network that has “no” access point, thus the private network is “air-gapped,” or separate, from public networks.

This isn’t the first cyberattack that a U.S. entity has undergone because of an air gap being one of the few cybersecurity practices in place. In 2016, The White House suffered an attack on their network — allegedly by a Russian adversary — although nothing came of it.

Kevin Poulsen, the infamous hacker from the last quarter of the 20th century, was also able to hack a U.S. defense base and look at different military plans, as well as wiretap government lines to listen in on conversations. In 1999, a teenager named Jonathan James hacked NASA and the Department of Defense for fun. Both of these individuals were talented in the field of hacking, but part of why they were so successful also boils down to the distinct lack of cybersecurity measures in place.

Lessons learned from the keylogging drone attack

While the Air Force declined to make any comments on the keylogging, Lt. Col. Tadd Sholtis did say, “We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms and other malware we discover.”

For other government entities or businesses who were watching this happen, this incident should have taught a few valuable lessons. First, it showed just how flawed air gapping is, particularly when it is the only form of cybersecurity. Second, it showed that threat actors can successfully attack anyone, even the U.S. government.

Cybersecurity awareness is very important for everybody to pay attention to. The National Cybersecurity Alliance highlights several important practices to be more cyber safe, including using multifactor authentication, using strong passwords (e.g., not a pet’s name, or your mom’s middle name), updating software regularly and being alert for phishing activity in an inbox.

If stronger cybersecurity measures has been in place at Creech Air Force Base, it might have been enough to protect the drone fleet from intrusion. One source from the keylogging attack summed it up well when they said, “It’s getting a lot of attention … but no one’s panicking. Yet.” Even though this cyberattack was mundane and nothing came of it, that doesn’t mean every cyberattack will follow the same pattern.




Keep your finger on the pulse of top industry news