Infected USB drive blamed for '08 military cyber breach

Malware was uploaded to network run by the U.S. Central Command

It was a USB drive loaded with malware.

That's how U.S. defense networks were compromised in 2008, according to U.S Deputy Defense Secretary William Lynn, who today offered the first official confirmation of a data breach that led to restrictions on the use of removable USB drives in the military.

In an article written for Foreign Affairs magazine, Lynn said the breach occurred when a single USB drive containing malicious code was inserted into a laptop computer at a U.S. base in the Middle East. The malware, placed on the drive by a foreign intelligence agency, was uploaded to a network run by the U.S. Central Command.

The malware then spread -- undetected -- on both classified and unclassified systems, essentially establishing a "digital beachhead" from which data could be transferred to servers outside the U.S, "It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary," Lynn wrote.

He did not say whether the malware allowed any classified or unclassified data to be stolen from U.S. Defense networks. Nor did he offer clues as to which foreign intelligence agency may have been behind the intrusion.

Even so, Lynn described the hitherto classified incident as the "most significant breach of U.S. military computers ever," saying it served as an important wake-up call for the military.

The incident led to a massive Pentagon response operation called "Operation Buckshot Yankee" aimed at purging infected systems of the malware and preventing something similar from happening again.

Lynn's description in Foreign Affairs throws a little more light on the military's sudden ban on the use of removable USB flash drives in 2008. At that time, the Pentagon said its decision was tied to concerns about a malware program called Agent.btz that propagated itself via the drives. That worm was a variant of another malware program called SillyFDC that was designed to scan infected systems for specific data and open backdoors for communications with remote command and control servers.

The Pentagon said at the time that the malware had begun infecting military systems, but offered few other reasons for the USB ban.

The incident highlights the enormous problems that can result from seemingly minor vulnerabilities, said J.R. Reagan, a analyst with Deloitte Consulting Services. "It brings to life what we have all feared for a long time from the small little holes in the dike that can really open up big problems," Reagan said.

In the military's case, the problems may have been exacerbated by an ongoing drive to make information sharing easier, he said.

The bigger issue really is not that the intrusion happened in the first place, but just how much information was in danger of being spirited out of the military's network, he said.

Lynn's description of the USB incident is part of a broader article on the challenges the U.S. military faces in securing its networks against foreign intelligence agencies. U.S. military networks are probed thousands of a times a day, he said.

"Right now, more than 100 foreign intelligence organizations are trying to hack into the digital networks that undergird U.S. military operations," Lynn said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies