Worm still a threat to US military

Washington - Three years after what the Pentagon called the most significant breach of US military networks ever, new versions of the malware blamed for the attack are still roiling US networks.

The malware at issue, known as agent.btz, in 2008 infiltrated the computer systems of US Central Command, which was running the wars in Iraq and Afghanistan.

The attack established what Deputy Defence Secretary William Lynn called "a digital beachhead" for a foreign intelligence agency to attempt to steal data.

The Pentagon in 2010 disclosed its operation to counter that attack, known as Buckshot Yankee. But new, more potent variations of agent.btz are still appearing.

"We can definitely say that it's not limited to government computers, it never has been, and that it hasn't gone away," said an official of the Department of Homeland Security, which leads US efforts to secure federal non-military computer networks, often described as the internet's "dot.gov" domain.

Spy agency

"It's very persistent and it keeps evolving," the official said. "You're constantly seeing new, better versions of it. So it's a challenge to keep ahead of it."

"It's quite prolific," the official added, speaking on condition of anonymity because of the matter's sensitivity. The official did not specify precisely which networks have been affected or the extent of the damage.

US officials have said a foreign spy agency was responsible for the 2008 attack, which occurred when an infected flash drive was inserted into a US military laptop at a base in the Middle East.

But they have never publicly named which one. Reuters has learned that experts inside and outside of the US government strongly suspect that the original attack was crafted by Russian intelligence.

Information about the origin of the suspected attackers, however, is still closely held and Pentagon officials refuse to discuss it. People familiar with the matter spoke on condition of anonymity and did not explain why Russia was the top suspect.

Buckshot Yankee led to Defence Secretary Robert Gates' order in June 2009 to create the military's new Cyber Command, which became operational last year.

"That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," Lynn wrote in the journal Foreign Affairs.


"It was a network administrator's worst fear: A rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary," he said.

Anup Ghosh, a former senior computer scientist at the Pentagon's Defence Advanced Research Projects Agency (Darpa), said agent.btz was configured in a way that made it likely to remain a threat.

It reaches out to download new code, enabling it to change its "signature" continuously and evade anti-virus software running on host networks, said Ghosh, who worked on securing military systems while at Darpa from 2002 to 2006 and now heads Invincea, a cyber security software company.

"Old worms never die," he said. "They simply re-morph and rear their head again."

Michael McConnell, the US Director of National Intelligence from 2007 to 2009, indicated on Thursday night that he considered Russia's cyber espionage capabilities as outpacing China's.

China is "literally taking terabytes of data", McConnell said during a panel discussion in New York about cyber threats.

But "there are other nation-states that are better, so when they take things they're not observed as frequently", McConnell said. Pressed on whether he was referring to Russia, McConnell nodded yes.


McConnell, in an interview after the session, said he knew who was behind the 2008 attack on Central Command, but it was a classified matter that he would not discuss publicly. "What's been said can be said," McConnell said.

Could the code have been written in a third country in an effort to mask the attack mastermind's digital fingerprints?

So thinks Jeffrey Carr, author of the book Inside Cyber Warfare: Mapping the Cyber Underworld and a consultant to the US and allied governments on Russian and Chinese cyber strategy and tactics as well as emerging threats.

"The agent.btz sample that I've seen has indicators that it was created in China, which doesn't exclude Russia," he said by e-mail.

"In fact, if I were a Russian hacker running that 2008 operation against USCENTCOM, I'd purposefully use malware that was developed in China, Korea or elsewhere."

"I wouldn't want anything to point back to me or whoever hired me," Carr said.
We live in a world where facts and fiction get blurred
In times of uncertainty you need journalism you can trust. For 14 free days, you can have access to a world of in-depth analyses, investigative journalism, top opinions and a range of features. Journalism strengthens democracy. Invest in the future today. Thereafter you will be billed R75 per month. You can cancel anytime and if you cancel within 14 days you won't be billed. 
Subscribe to News24
Voting Booth
What are your thoughts on the possibility of having permanent Stage 2 or 3 load shedding?
Please select an option Oops! Something went wrong, please try again later.
I'll take that over constant schedule changes
13% - 935 votes
Why are we normalising Eskom’s mess?
72% - 5146 votes
I've already found alternative ways of powering my home/business
15% - 1103 votes
Rand - Dollar
Rand - Pound
Rand - Euro
Rand - Aus dollar
Rand - Yen
Brent Crude
Top 40
All Share
Resource 10
Industrial 25
Financial 15
All JSE data delayed by at least 15 minutes Iress logo
Editorial feedback and complaints

Contact the public editor with feedback for our journalists, complaints, queries or suggestions about articles on News24.