Old worm won't die after 2008 attack on U.S. military

WASHINGTON Thu Jun 16, 2011 6:34pm EDT

Personnel work at the Air Force Space Command Network Operations & Security Center at Peterson Air Force Base in Colorado Springs, Colorado July 20, 2010. REUTERS/Rick Wilking

Personnel work at the Air Force Space Command Network Operations & Security Center at Peterson Air Force Base in Colorado Springs, Colorado July 20, 2010.

Credit: Reuters/Rick Wilking

Related Topics

WASHINGTON (Reuters) - Three years after what the Pentagon called the most significant breach of U.S. military networks ever, new versions of the malware blamed for the attack are still roiling U.S. networks, Reuters has learned.

The malware at issue, known as "agent.btz," infiltrated the computer systems of the U.S. Central Command in 2008, at a time when it was running wars in Iraq and Afghanistan.

The attack established what Deputy Defense Secretary William Lynn called "a digital beachhead" for a foreign intelligence agency to attempt to steal data.

The Pentagon last year disclosed its operation to counter that attack, known as Buckshot Yankee.

But new, more potent variations of agent.btz are still appearing.

"We can definitely say that it's not limited to government computers, it never has been, and that it hasn't gone away," said an official of the Department of Homeland Security, which leads U.S. efforts to secure federal nonmilitary computer networks, often described as the Internet's "dot.gov" domain.

"It's very persistent and it keeps evolving," the official said. "You're constantly seeing new, better versions of it. So it's a challenge to keep ahead of it."

"It's quite prolific," the official added, speaking on condition of anonymity because of the matter's sensitivity. The official did not specify precisely which networks have been affected or the extent of the damage.


U.S. officials have said a foreign spy agency was responsible for the 2008 attack, which occurred when an infected flash drive was inserted into a U.S. military laptop at a base in the Middle East.

But they have never publicly named which one. Reuters has learned that experts inside and outside of the U.S. government strongly suspect that the original attack was crafted by Russian intelligence.

Information about the origin of the suspected attackers, however, is still closely-held and Pentagon officials refuse to discuss it. People familiar with the matter spoke to Reuters on condition of anonymity and did not explain why Russia was the top suspect.

Buckshot Yankee led to Defense Secretary Robert Gates' order in June 2009 to create the military's new Cyber Command, which became operational last year.

"That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," Lynn wrote in the journal Foreign Affairs last fall.

"It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary," he said.

Anup Ghosh, a former senior computer scientist at the Pentagon's Defense Advanced Research Projects Agency (Darpa), said agent.btz was configured in a way that made it likely to remain a threat.


It reaches out to download new code, enabling it to change its "signature" continuously and evade anti-virus software running on host networks, said Ghosh, who worked on securing military systems while at Darpa from 2002 to 2006 and now heads Invincea, a cybersecurity software company.

"Old worms never die," he said. "They simply re-morph and rear their head again."

The source of the attack remains uncertain. Could the code have been written in a third country in an effort to mask the attack mastermind's digital fingerprints?

So thinks Jeffrey Carr, author of the book Inside Cyber Warfare: Mapping the Cyber Underworld and a consultant to the U.S. and allied governments on Russian and Chinese cyber strategy and tactics as well as emerging threats.

"The agent.btz sample that I've seen has indicators that it was created in China, which doesn't exclude Russia," he said by email. "In fact, if I were a Russian hacker running that 2008 operation against USCENTCOM, I'd purposefully use malware that was developed in China, Korea or elsewhere."

"I wouldn't want anything to point back to me or whoever hired me," Carr said.

(Editing by Warren Strobel and David Storey)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (4)
This is disappointing. I thought the NSA’s job was to remain on top of this stuff. What is the government doing with all the money earmarked for cybersecurity aside of hiring big fancy cars with bulletproof glass and wet bars?

Jun 16, 2011 5:20pm EDT  --  Report as abuse
JRivers wrote:
Why in the world would you allow access to a defense network through the internet especially running MS products. Sorry but any agency with management stupid enough to let this happen needs it to happen.
Just stupid and sad, utter fail.

Jun 16, 2011 11:36pm EDT  --  Report as abuse
OkiePC wrote:
Wow, you would think the top echelons of military information and national security would have their own bullet proof top secret OS’s and even hardware to make this sort of attack obsolete. I don’t buy the rhetoric that you can prevent viruses and worms. That’s a cop-out by wanna-be computer scientists who make such ignorant claims as “old worms never die”. Remember when the OS was loaded from ROM and the user had to request every program execution?

Jun 16, 2011 11:45pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.