The worst cyber attack in DoD history came from a USB drive found in a parking lot

The media dubbed it "The Worm that Ate the Pentagon" and it was the most serious breach of the Pentagon's classified computer systems. In November 2008, the Army caught a worm called Agent.btz crawling through the Defense Department's Secret Int…
Blake Stilwell Avatar

Share

The media dubbed it “The Worm that Ate the Pentagon” and it was the most serious breach of the Pentagon’s classified computer systems. In November 2008, the Army caught a worm called Agent.btz crawling through the Defense Department’s Secret Internet Protocol Router Network – the classified SIPRNet – as well as the Joint Worldwide Intelligence Communication System used by the U.S. government’s top intel agencies.

No one knows if any information was taken or who its creator was. All they know is it took 14 months to eradicate.


The worst breach of U.S. military computers in history begins in 2008, in a parking lot at a U.S. military installation in the Middle East. A flash drive infected with a virus called “agent.btz” was inserted into a DoD computer network and quickly spread throughout the U.S. military’s classified and unclassified networks. Data – anything on these networks – could now be transferred to other servers under the control of agent.btz’s creator. The worst part is that no one knew it was there, what it might have sent, and to who the information went.

Once in place, the malicious code began to “beacon” out to its creator, letting whoever created it know that it was in place and ready for further instructions. That’s the only way analysts from the NSA’s Advanced Networks Operations team noticed it was there. At the height of the Global War on Terror, the Pentagon’s defense intelligence networks had been compromised.

“Go over to that village and get the wifi password. My USB drive isn’t working.”

The NSA and DoD quickly determined the cause of the infection, and banned thumb drives as a response. They then collected thousands of thumb drives from officers and other troops in the field, finding they were all infected with the worm as well. Reports of new infections to the network didn’t slow down until well into 2009. In an operation called “Buckshot Yankee,” the Defense Department led an all-out assault on the worm. The effort was so intense and deliberate that it led to the creation of the 11th military unified command – The U.S. Cyber Command.

Pentagon officials blame Russian agents for the virus, but individuals who worked on Buckshot Yankee dismiss that assertion, saying that the worm, though potentially destructive, ended up being “relatively benign.” Still, others assert that Russian intelligence agencies have used code similar to agent.btz before. Even with the concerted effort against the worm, Pentagon officials couldn’t answer the simplest of questions. How many computers were affected? How many drives were infected? Where was the virus’ patient zero?

No one knew. To this day, no one knows for sure.

The Air Force’s “silent service.”

In the end, it taught the Defense Department an important lesson. It was much more vulnerable to a small threat, even a cyber threat, than it should have been. Now the DoD claims it is better-equipped to detect such threats and infections, and to respond to them. The policy shift took the responsibility of protecting classified and unclassified Defense networks out of the hands of the local IT troops (or contractors) and put it in the hands of senior commanders.