Investigative Report on "Buckshot Yankee"

This is a really good analysis about the Buckshot Yankee attack against the classified military computer network in 2008. It contains a bunch of details I had not previously known.

Posted on December 15, 2011 at 12:50 PM • 27 Comments

Comments

Glenn MaynardDecember 15, 2011 1:30 PM

The site lets you read a few pages, then harasses you to sign up to read the rest?

Try to warn us if you're going to link scummy, nagware sites like that, so we don't waste our time...

AlbertDecember 15, 2011 1:48 PM

Glenn, thanks for the heads up about the nags. I used the print option to get the whole article without nags or adverts.

LinkTheValiantDecember 15, 2011 2:43 PM

Thanks much for the recommendation of the print version.

It is sad that USB mass storage devices have become such an attack vector. With all of our advances in technology, we STILL do not know how to securely transport data in the electronic equivalent of a briefcase. In fact, it really can't be done. It's no trouble to make sure Eve can't read it; encryption handles that part just fine. But given that you never can be SURE that a flash memory device is clean, you really can't transport data with any storage medium.

It almost seems that it would be better to print sensitive electronic data and use OCR to restore it after transportation, in much the same way PGP was before the ban on "high-grade" encryption was lifted. But that gets into the whole realm of "what's-the-point?"

NameDecember 15, 2011 3:33 PM

How would that help? The problem isn't some kind of magical virus transference issue that USB sticks have and optical discs don't. The problem is that Windows will auto-run executable code that's on a USB stick when it's inserted into the machine. It'll do that for a DVD-R, too. And even if it doesn't run automatically (Windows VI and 7 finally don't do that by default anymore, although XP is still in major circulation) it's not hard to get the human being to run it manually.

Ralph HitchensDecember 15, 2011 3:56 PM

Odds are high, IMO, that this was copied to someone's flash drive & then proliferated by being plugged into the famously loose SIPRNet, which has (and needs) lots of i/o ports -- to move data off the network for operational reasons. Was ported up to JWICS through one of the approved low-to-high gateways. So the malware may be floating around on these classified IP networks looking for certain types of documents, which it may or may not find, and then looking for a target domain, which it will probably never find. Unless.... it really IS that rara avis, the "trusted insider." Hope to find out someday.

Dirk PraetDecember 15, 2011 7:55 PM

Makes you wonder if it were the original Agent.btz authors who moved on to writing Stuxnet and Duqu, or that some folks involved in Buckshot Yankee kinda found it an interesting approach that could work for their employers too.

RobertTDecember 15, 2011 9:42 PM

For me this all speaks to the effectiveness of current generations of air-gap-jumping viruses. We have stored up good zero-day methods, developed good virus seeding methods, found good local deployment methods (dropped USB's),( sneak-n-peak replacements of service personnel USB sticks).... What's clearly missing is a good covert information return channels.

So my only question is: How many other ways are there to construct efficient covert data return channels? or better still covert control channels? for air-gaped systems.

Clive RoobinsonDecember 16, 2011 12:18 AM

@ Leolo,

"@LinkTheValiant : DVD-R maybe?"

Only if you remember as a user to fill the disk the right way and close the session.

Oh and as an admin make sure that the drive interface is sufficiently high level and free of "test mode software" such that you can not write bits over existing bits. In this respect DVD-R is just like flash NAND memory....

Clive RobinsonDecember 16, 2011 12:43 AM

@ RobertT,

If you think back I described how to do this air-gap jumping in comments I made on the Cambridge Labs and this blog in exactly the way these people did it, likewise for Stuxnet. A little while before the time they are reported to have actually went into action.

One of the things I deliberatly refrained from doing was describe how to covertly get the information back out again without using the standard "ET phone home" techniques.

I actually know of five different basic ways to do it one of which (playing with EMC) is "local" not distant. You and I have discussed on this blog before when talking about backdooring chips and getting LF/MF signals back through the power supply where you suggested a much much better modulation method.

I must admit that both Stuxnet and Buckshot Yankee have shaken me up a bit, because they both did things I publicaly described but not the things I delibertly withheld. I cann't get the thought out of my head that if you are bright enough to have independently thought these attack vectors up then you are more than bright enough to go the extra step. Especialy as one route of egress is fairly obviously the inverse of the ingress, with just a couple of minor variations. One of which is to use a broadcast "beacon" but... only after using the presence or absence of say google to decide to turn that method on via a normal user style search for say weather etc. Likewise they could also have used a variation of the botnet headless control channel I've described in the past...

Clive RobinsonDecember 16, 2011 1:52 AM

@ RobertT,

I forgot to add why I was shaken up.

Think about how Bruce must have felt when after making frequent comments about how usless body scanners are because you could always stick the bomb up your back passage, and then somebody actualy went and did it for real...

There was a noticable change in the way Bruce commented etc after that, in that he does not to the same extent mention "new ideas" on direct circumvention techniques any longer, which appears to some people to have taken the fire out of his arguments against the likes of the DHS et al...

It's a real problem because when dealing with certain managment types you caution against certain actions they will claim things are not possible, you don't know what you are talking about etc etc etc and shout you down. Basicaly they do anything to not act responsibly, then when it goes wrong and they get figurativly speaking a big smack in the face, they then claim "but who could have predicted it"...

Which is just one reason why researchers went live with example exploit code etc, they then unfortunatly became a lightning rod, because having brought forth the bad news in a belivable way, as the messenger managment then try to kill them (perhaps less than figuratively when you consider what some legal practicioners have got upto).

So damed if you damed if you don't, but worse you think when discussing the ideas on this and other blogs at a 20,000ft level without including specific implementation details, you are being responsible in giving a message that gives a warning to the wise. Then you find somebody has used it to do significant harm that could have endangered lives or arguably being a contributary cause to the deaths of several people. You cann't help thinking "was I indirectly responsible?". You try to convince yourself it's coincidence, or what you said is obvious but, when the evidence starts to stack up that indirectly refutes that, it gives you a distinct sense of disquiet, and it is not shaken off easily.

Anyway although it is not an "Alfred Nobel obituary" moment it still makes you think.

RobertTDecember 16, 2011 2:47 AM

@Clive R
"You and I have discussed on this blog before when talking about backdooring chips and getting LF/MF signals back through the power supply where you suggested a much much better modulation method."

I realize that we have discussed it in broad terms, but I've got a feeling that maybe some others are way ahead of me in the implementation of real life covert data return channels.

As with most official reports, I find the glaring omissions far more intriguing than the obvious admissions. As a result, I don't find it surprising that details about Buckshot Yankee gets publicly released after the official acknowledgment, and public dissection, of Stuxnet. Neither is it a surprise that there are sections of the Stuxnet code that are not understood.

As for my own efforts, I have managed to create and test a couple of covert return channels, based on techniques that we discussed, but they only work well over relatively short distances 1000m. for data bandwidth of 1kbps.

BTW as a sort of pentest I did manage to get an MV=>LV electricity transformer modified to add a HF coupler between MV and LV sides of the system. I achieved this at a location where I had absolutely no authorization to make these modifications. In fact it was surprisingly easy ... Unfortunately I could not pickup the emissions from the MV system even when I tuned to what I estimated to be the 1/4 wavelength antenna for the MV section.

I'm also playing around with an idea that involves actively suppressing conducted emissions from normally operating equipment. If you test the unit it measures better than the unmodified. unfortunately the mechanics of extracting a spread signal's absence are a little more intricate than the standard correlation techniques that prove its presence.

I also tried some covert link / control methods that were originally developed for ASW systems, there is a lot of similarity when you consider the maximum Rx distance to be limited multipath problem. such as comms in a conical channel.

RobertTDecember 16, 2011 3:22 AM

@CliveR
I hear what you are saying about shooting the messenger for both admissions and omissions, been there done that got the Tshirt. You can't win that one, especially when the management or their political masters are about as dumb as a door frame

As for professional "state level actors" being guided by my musings on a blog, I don't flatter myself. They're ahead I'm behind! the few tricks that I glean, from the publicly available are as likely as not dis-information, or maybe I'm actually the disinformation vector...

Anyway, if someone actually wanted me to work on this sort of system, they could just hire me, I don't share your well developed sense of social awareness, afraid I'm just your average Techno-whore.

Of course whenever you hire someone because they are technically ONE step ahead of you, you need to honestly ask yourself if they are actually 2, 3 or even 4 steps ahead, because I'll guarantee you that, personality wise, they are narcissists. So you are definitely making a deal with the devil.

renoXDecember 16, 2011 3:30 AM

@name: The problem is that Windows will auto-run executable code that's on a USB stick when it's inserted into the machine.

This is a problem sure, but even if you disabled this feature, you'd be safer but not safe: I remember a presentation where they attacked the filesystem parsing code.
Remember data is code!

ATNDecember 16, 2011 3:54 AM

So, in short, the army has discovered in 2008 that windows is not secured, and cannot be made so.
Some civilian people have noticed that since we have floppy disks, we have viruses on PC/windows products.
They have detected the badly written virus which try to reply over the network, instead of saving the reply on the USB and then transmit it when on an open network next time the stick is inserted into the cybercafe PC, before erasing itself completely - so they say there isn't any need for more complex reaction.
Let's imagine we have James Bond 007 to save military networks when bad things will happen... After all, the six digit salary guy who decide to set those rules/OS is not responsible because "let's not attribute to malice what can be explained by stupidity".

PaeniteoDecember 16, 2011 3:55 AM

@LinkTheValiant: "But given that you never can be SURE that a flash memory device is clean,"

IMHO, encryption also somewhat handles this part... It should be impossible to plant code on a USB stick that is fully encrypted.

It doesn't protect against a trusted insider, but that cannot be helped anyway (not even by printing and OCRing, if you do a dumb "shelexec ocr-result" afterwards).

~thcDecember 16, 2011 4:03 AM

The worm itself (http://www.f-secure.com/v-descs/worm_w32_agent_btz.shtml) is activated by the most stupid Windows feature ever designed: AutoRun. The file on the thumb drive is a DLL. It can not be activated accidentally - you have to invoke a command line like "rundll32.exe E:\rntl.dll,InstallM" to do it manually.

The worm copies itself to C:\Windows\System32 and creates registry keys under HKCR\CLSID to complete the infection. This requires administrative rights and classifies it (IMHO) as a "normal XP Trojan".

The first computer infected inside the military had autorun enabled and the user had admin rights. Maybe the military should fire their admins and hire some real ones instead (Also valid if the user involved WAS the admin).

This is just another stupid Trojan downloader which hopped inside a military network by happenstance and was caught because it tried to download it's payload from "worldnews.ath.cx" setting off the alarms inside the NSA.

No piece of real espionage software would act that bluntly.

BTW: The thumb drive could have been used the other way round: Copy classifed information onto it, carry it to an internet café and send it via email oder other upload methods (bypassing network access restrictions completely).

Brett ODecember 16, 2011 8:42 AM

I know first-hand why Agent.btz overwhelmed DoD. It got its foothold in the command that fought Iraq & Afganistan. while the command supposedly was in charge, the constituent organizations of the services all asserted autonomy. For example I would request drives be wiped and usb drives checked only to be rejected or non-answer. JTF-GNO refused to assert oversight to do same. and trigraph agencies were more concerned with intel related issues (as noted in the article). the result was Centcom was overrun, as well as vast portions of DoD. so when it got seriously disruptive, usb drives were banned and mass-reformatting of drives was instituted (finally).

as to the other points, cyberwar is not warfare and the targets are mostly civilian (critical infrastructure), so CyberCommand should be kept out of internet. However, the internet is non/multi-national, so DHS is a poor choice for protecting. OK, DHS isnt good at much of what they are supposed to do, so why give them something so important?

Brett ODecember 16, 2011 8:44 AM

BTW, I'm in DC area, so I'll check if it is the print version and scan. Or maybe screen capture from the online (or not if copyright issue).

Brett ODecember 16, 2011 8:50 AM

worldnews.ath.cx too, ~thc? It looks like we could share some of the same stories... maybe we can co-author a book on topic?

Brandioch ConnerDecember 16, 2011 8:57 AM

@ATN
@~thc
I agree with both of you. The question is how to resolve these issues in the future?

1. Allowing ANYONE to take USB drives in / out. Even without the "virus" issue this is a MAJOR security risk.

2. Why not have some way of alerting upper levels when a USB / blank CD / any portable media is loaded on any of the "secure" machine?

3. Administrator level access? If you must use Windows at least configure it correctly.

4. Leaving auto-run enabled. See #3.

5. How about periodic reviews of the systems? This was caught when it tried to "phone home". What if the next "virus" is more intelligent than that? The more "secure" the system, the more frequent the reviews.

And so forth.

There's no excuse for this happening. But I'm sure that it will happen again. And for the same reasons with the same vulnerabilities.

Dirk PraetDecember 16, 2011 1:23 PM

@ Brandioch Conner

There's no excuse for this happening

Spot-on. The problem is always the same: tech guys can point out any risk area whatsoever, but then they get snubbed by those who don't understand the issue or consider it unlikely to ever occur. Even at organisations with a serious business case/driver to implement all of the necessary policies (compliance, regulation etc.), my experience is that way too often policy enforcement after certification no longer is a priority in any way.

But it depends from one place to another. I have done work at several military facilities where bringing in any sort of removabe media - especially the writeable kind - or carrying a bluetooth enabled device would get you in a whole lot of trouble if you were caught with them. Being walked off the premises by MP's or having your clearance revoked on the spot were just some of the minor consequences. And that was way before 2008.

WalterDecember 16, 2011 1:44 PM

@Clive Robinson:
but worse you think when discussing the ideas on this and other blogs at a 20,000ft level without including specific implementation details, you are being responsible in giving a message that gives a warning to the wise. Then you find somebody has used it to do significant harm that could have endangered lives or arguably being a contributary cause to the deaths of several people. You cann't help thinking "was I indirectly responsible?". You try to convince yourself it's coincidence, or what you said is obvious but, when the evidence starts to stack up that indirectly refutes that, it gives you a distinct sense of disquiet, and it is not shaken off easily.


Or we just stop aggrandizing ourselves by thinking the whole world listens to us.

LinkTheValiantDecember 16, 2011 2:29 PM

IMHO, encryption also somewhat handles this part... It should be impossible to plant code on a USB stick that is fully encrypted.

Logically speaking, were that the case, we could easily defeat malicious payloads on flash drives by XORing them with a pseudorandom key and transmitting the key separately.

The point is, if you use digital media, of any sort, you can never be SURE that it is clean. Doesn't matter whether it's write once or write many. (As Mr. Robinson points out, even write once is not necessarily once.)

Or we just stop aggrandizing ourselves by thinking the whole world listens to us.

While Mr. Robinson's remark may be somewhat self-aggrandizing, it's not outside the realm of possibility that just such a thing happened. This blog's readership is FAR higher than the population of its active commenters.

Besides which, Mr. Robinson can be forgiven a little self-promotion, given his long contributions to this community.

Brandioch ConnerDecember 16, 2011 2:35 PM

@Dirk Praet
"Even at organisations with a serious business case/driver to implement all of the necessary policies (compliance, regulation etc.), my experience is that way too often policy enforcement after certification no longer is a priority in any way."

Same here.
It seems that it is more about "certification" than "security". If you are out of "compliance" then you can lose your certification.

But if you have policies that are obvious security issues, that's okay as long as there isn't a compliance issue.

Security is easy.
But it is even easier to skip security.

crystalatticeJanuary 11, 2012 4:42 PM

I have never understood why immediate A/V detection isn't run when a new device is attached to a computer. Back when floppies ruled the land, A/V programs would automatically detect it and run a virus check before the user could access the drive (if set up for it). Now, it seems the military completely ignores virus detection on the client side and prefers to use system-wide scans at periodic intervals.

IMO, if client-side A/V were properly set up, it could have potentially identified the malware and prevented its spread, eliminating (or significantly reducing) the need to ban USBs.

But it is so much easier to have a massive ban than to think up and implement a more realistic approach.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..