Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack

Noah Shachtman
Noah Shachtman Former Brookings Expert, Executive Editor - The Daily Beast

August 25, 2010

In the fall of 2008, a variant of a three year-old, relatively-benign worm began winding its way through the U.S. military’s networks, spread by troops using thumb drives and other removable storage media. Now, the Pentagon says the infiltration — first reported by Danger Room — was a deliberate attack, launched by foreign spies. It’s a claim that some of the troops who worked to contain the worm are finding hard to back up.

In the upcoming issue of Foreign Affairs, Deputy Defense Secretary William Lynn writes that the worm entered the military’s classified systems “when an infected flash drive was inserted into a U.S. military laptop at a base in the Middle East. The flash drive’s malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command.”

“That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” Lynn adds. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.”

The worm, dubbed agent.btz, caused the military’s network administrators major headaches. It took the Pentagon nearly 14 months of stop and go effort to clean out the worm — a process the military called “Operation Buckshot Yankee.” The endeavor was so tortuous that it helped lead to a major reorganization of the armed forces’ information defenses, including the creation of the military’s new Cyber Command.

But exactly how much (if any) information was compromised because of agent.btz remains unclear. And members of the military involved in Operation Buckshot Yankee are reluctant to call agent.btz the work of a hostile government — despite ongoing talk that the Russians were behind it.

“Some guys wanted to reach out and touch someone. But months later, we were still doing forensics. It was never clear, though,” one officer tells Danger Room. “The code was used by Russian hackers before. But who knows?” Left unsaid is a second question: Why would an intelligence agency launch a limp attack?

Agent.btz is a variant of the SillyFDC worm that copies itself from removable drive to computer and back to drive again. Depending on how the worm is configured, it has the ability (as Lynn notes) to scan computers for data, open backdoors, and send through those backdoors to a remote command and control server.

But the methods for containing it are relatively straightforward. To keep SillyFDC from spreading across a network, you can ban thumb drives and the like, as the Pentagon did from November 2008 to February 2010. Or you can disable Windows’ “autorun” feature, which instantly starts any program loaded on a drive. In 2007, the security firm Symantec rated SillyFDC as “Risk Level 1: Very Low.”

What’s more, agent.btz’s ability to compromise classified information is fairly limited. SIPRNet, the military’s secret network, and JWICS, its top secret network, have only the thinnest of connections to the public internet. Without those connections, “intruders would have no way of exploiting the backdoor, or, indeed, of even knowing that agent.btz had founds its way into the CENTCOM network,” as our sister blog Threat Level observed in March.

The havoc caused by agent.btz has little to do with the worm’s complexity or maliciousness — and everything to do with the military’s inability to cope with even a minor threat. “Exactly how much information was grabbed, whether it got out, and who got it — that was all unclear,” says an officer who participated in the operation. “The scary part was how fast it spread, and how hard it was to respond.”

U.S. Strategic Command, which is supposed to play a key role in military network defense, couldn’t get simple answers about the number of infected computers — or the number of computers, period.

“We got into Buckshot Yankee and I asked simple questions like how many computers do we have on the network in various flavors, what’s their configuration, and I couldn’t get an answer in over a month,” U.S. Strategic Command chief Gen. Kevin Chilton told a conference last May.

“Buckshot Yankee was a seminal event because we understood that we weren’t as protected as we thought we were. And we weren’t paying attention as well as we should’ve been,” another officer involved in the operation tells Danger Room.

As a result, network defense has become a top-tier issue in the armed forces. “A year ago, cyberspace was not commanders’ business. Cyberspace was the sys-admin guy’s business or someone in your outer office when there’s a problem with machines business,” Chilton noted. “Today, we’ve seen the results of this command level focus, senior level focus.”

Implementation of a new, Host-Based Security System was accelerated, for better threat detection. Information security training and patch updates are mandatory. The Defense Department has a better sense of what’s connected to its networks. And, in what may prove to be the most significant move, there’s now a Cyber Command under Chilton that’s responsible for coordinating threat monitoring, network defense, and information attack. The Pentagon brass was already considering such a consolidation before November of 2008. Operation Buckshot Yankee turbo-charged that process — no matter who was responsible for the worm.

Update: Spencer and I just got off of the phone with Lynn. I asked him about his claim that agent.btz was an intelligence operation. His answer: “It was tied to a foreign intelligence service. I’m not going to go in to any further detail on the forensics that we’ve done in terms of where the intrusion came or how it occurred beyond what I said in the article.”

But what spy service would launch such a lame attack?

“It isn’t the most capable threat, I agree with that,” Lynn replies. “But that kind of makes the point. If you had something of the kind of capability you described and we suffered a compromise as the result of it, it clearly means that we need to have a new strategic approach and that’s what started a couple years ago. I’ve tried to lay out where we’re going going forward.”

OK, so Lynn wouldn’t specify which intelligence service he considers responsible for agent.btz. But did the United States take any retaliatory measures after it established culpability? “I’m going to have to keep resisting,” Lynn replies. “The reason to talk about that was to highlight the policy responses that we’ve taken to it.”