Open Source Analysis of the RQ-170 Stealth Sentinel Loss to Iran

Courtesy of Recorded Future: https://www.recordedfuture.com/rf/s/2z0Cm4

The loss of the RQ-170 Stealth Sentinel drone to Iran is potentially one of the most critical events that has occurred in 2011 because it implies an offensive electronic warfare or cyber capability that no one expected Iran to have. Now that Iran has released a video of the captured drone and the U.S. government has confirmed that it's authentic, it's clear that the original FARS report claiming that it was captured via electronic means may have been accurate in spite of unanimous Western media reports to the contrary; i.e., that it was shot down.

EMEA's strategic intelligence report on the RQ-170 says that the Stealth Sentinel is a high altitude and long endurance unmanned aerial vehicle (UAV) designed and manufactured by Skunk Works, a division of Lockheed Martin Corporation, for the United States Air Force (USAF). According to EMEA:

The UAV can capture real time imagery of the battlefield and transfer the data to the ground control station (GCS) through a line of sight (LOS) communication data link. The 27.43m wide and 1.82m high aerial vehicle was designed to execute intelligence, surveillance, reconnaissance and target acquisition (ISTAR) and electronic warfare missions over a target area.

According to Earl Lum, President of EJL Wireless Research LLC what is supposed to happen when an Unmanned Aerial Vehicle (UAV) like the RQ-170 loses its comms link is that it should autonomously follow a pre-programmed lost-link profile consisting of waypoints at various altitudes, forming a loop until it re-establishes contact or crashes. The communication link for the UAVs is typically today LOS (line of sight). If it falls below the mountains and loses LOS, it is supposed to then go through this process. However while this applies to UAVs in general it may not be the case with the RQ-170.

Navigation technology
According to the EMEA report, the RQ-170 can be controlled either manually from the GCS or through autonomous mode. An automatic launch and recovery (ALR) system facilitates the aircraft to land safely when communication with the control station fails.

Ground control station
The GCS of the RQ-170 displays the real time imagery or videos captured by the vehicle's payload cameras onboard. The data supplied by the vehicle is retrieved, processed, stored and monitored at the control station which was designed and built by Skunk Works. The GCS tracks, controls and monitors the RQ-170 by transferring commands to the vehicle via LOS SATCOM data link. The sentinel is being operated by 432nd wing of air combat command (ACC) at Creech Air Force Base, Nevada, and 30th reconnaissance squadron at Tonopah Test Range, Nevada.

Related cyber incidents that may have compromised the RQ-170:
- A South Korean newspaper, JoongAng Daily, reported in December 2009 that the RQ-170 was flight tested in South Korea to supersede the U-2 aircraft at Osan Air Base for carrying out missions over North Korea. North Korea is an ally of Iran and has conducted offensive CNE (Computer Network Exploitation) and CNA (Computer Network Attack) missions against South Korea repeatedly for several years. It's unknown what information has been stolen however this type of intelligence is highly sought after and its reasonable to assume that the DPRK would include it on a CNE acquisitions list.
- Lockheed Martin reported a cyber attack in June, 2011 that lasted about one week. LM didn't report what was taken however as with the DPRK example, UAV research has been targeted at U.S. defense firms as late as this past summer according to my own confidential sources.
- Creech Air Force Base experienced a malware infection that impacted its UAV Ground Control Stations in October 2011. It's public report on the incident was confusedly written and lacked details regarding the malware involved, its propagation and its remediation.

Summary
The objective of this article is to assess possibilities. Based on EMEA's report on the RQ-170, it appears that the drone had the ability to land itself without operator control. I'd appreciate hearing from any experts who can confirm whether that's the case or not. If it is, then Iran may have lucked out. If it isn't, then Iran's claim that it used its electronic warfare capacity to assume operational control of this substantial U.S. military asset appears to be true. Considering how easy it is for an adversary to conduct CNE against targeted U.S. networks, this is probably a capability that they obtained from one of many mercenary hacker crews who engage in that type of activity. While the scope of this article is hypothetical, the CNE targeting of UAV R&D is a fact born out by my own company's work in this area. Iran may or may not have that capability now but eventually it will. The RQ-170 event should be a massive wake-up call on the part of the U.S. Air Force to reinstall a self-destruct capability, harden the RQ-170's operating system, and examine potential vulnerabilities in its UAV fleet supply chain.

UPDATE (1528 PST 09DEC11): From an article in today's SF Gate:

The most frightening prospect raised by what appears to be a largely intact Sentinel is that the Iranians' second claim about how they brought it down -- by hacking into its controls and landing it themselves -- might be true, said a U.S. intelligence official, who spoke only on the basis of anonymity because the RQ-170 is part of a Secret Compartmented Intelligence (SCI) program, a classification higher than Top Secret.
The official said the possibility that the Iranians or someone else hacked into the drone's satellite communications is doubly alarming because it would mean that Iranian or other cyber-warfare officers were able to disable the Sentinel's automatic self-destruct, holding pattern and return-to-base mechanisms. Those are intended to prevent the plane's secret flight control, optical, radar, surveillance and communications technology from falling into the wrong hands if its controllers at Creech Lake Air Force Base or the Tonopah Test Range, both in Nevada, lose contact with it.

UPDATE (1708 PST 22DEC11): Cryptome has an interesting thread on the use of the RSA cyber to protect the GPS Red band used on military systems like the RQ-170. This suggests that data from the RSA breach last March may have been shared with the Iranians.

UPDATE (0715 PST 05JAN12): AviationWeek has an excellent technical article on the F-22 technology used on the RQ-170.

Related:
Was Iran's Downing of RQ-170 Related to the Malware Infection at Creech AFB?
How Iran May Have Captured An RQ-170 Stealth Drone
U.S. Air Force Demonstrates How Not To Report A Malware Attack 

Add to Cart View detail

Was Iran's Downing of RQ-170 Related to the Malware Infection at Creech AFB?

The Washington Post has reported that Iran's cyber warfare unit took over the controls of a Lockheed Martin RQ-170 Sentinel stealth drone flying over Eastern Iran and landed it with minimal damage. As of this writing, the U.S. Air Force hasn't yet confirmed or denied the attack. I've left a message with the on-call PA officer at Creech Air Force Base, which is the home of the 432d Wing which flies RQ-170 Sentinels according to this factsheet.

Creech Air Force Base, as you may recall, suffered a malware infection of its Reaper and Predator Ground Control Stations last October. After Noah Shachtman broke the story, the Air Force issued a press release claiming that the malware was a simple "credential stealer" and not a "keylogger", which is a distinction without a difference as I pointed out here. Approximately one and a half months after the Air Force issued that statement, Iran claims to have successfully compromised the flying operations of one of its drones - possibly flown out of the same Air Force base.

Iran's Cyber Warfare Capabilities

Note: The following assessment comes from chapter 16 of the 2nd edition of Inside Cyber Warfare, due out this month:

In 2010 the Iranian Islamic Revolution Guards Corps (IRGC) set up its first official cyber warfare division.Since then, its budget and focus has indicated the intention of growing these cyber warfare capabilities. Education is considered a top priority in the strategy, with increased attention to computer engineering-specific cyber security programs. The IRGC budget on cyber capabilities is estimated to be US$76 million. The IRGC’s cyber warfare capabilities are believed to include the following weapons: compromised counterfeit computer software,wireless data communications jammers, computer viruses and worms, cyber data collection exploitation, computer and network reconnaissance, and embedded Trojan time bombs.
The cyber personnel force is estimated to be 2,400, with an additional 1,200 in reserves or at the militia level. In June 2011 Iran announced that the Khatam al-Anbiya Base, which is tasked with protecting Iranian cyberspace, is now capable to counter any cyber attack from abroad, a claim that will likely be tested soon given the volatile nature of cyberspace. In August 2011 Iran challenged the United States and Israel, stating that they are ready to prove themselves with their cyber warfare capabilities. Should the Iranian cyber army be provoked, Iran would combat these operations with their own “very strong” defensive capabilities. 

In my opinion, the U.S. Air Force needs to respond to this claim by the Iranians quickly and authoritatively because its lackluster conduct regarding the initial infection found at Creech makes this claim by Iran more believable, not less.

UPDATE (1121 04DEC11): CNN quotes a U.S. official confirming that an operator lost flight control of an RQ-170 Sentinel over Western Afghanistan (which borders Eastern Iran).

UPDATE (1807 04DEC11): Western sources are reporting that the RQ-170 drone was shot down however FARS quoted an Iranian military official saying that it was taken down via electronic means "with electronic war units" and with minimal damage which makes this a cyber attack. The Al-Jazeera story is here.

Add to Cart View detail

U.S. Defense Dept.'s Organizational Chart for Cyber Operations

In light of today's Wired.com article about how Creech AFB failed to report its virus attack to the 24th Air Force, I thought it might be helpful to see exactly how DoD has structured its cyber operations. The above graphic is best viewed as a Prezi.

Organizations with responsibility in this case could have included USSTRATCOM which directs DOD's Global Information Grid's operations and defense, USCYBERCOM which is a dual-hatted command with the NSA who has direct responsibility for protecting the .MIL domains. And then there's the 24th Air Force which is responsible for the Air Force Enterprise Network GIG and three Wings which report to it.

24th Air Force

• Plans and conducts cyberspace operations in support of combatant commands.
• Maintains and defends the Air Force Enterprise Network GIG.

67th Network Warfare Wing

• Organizes, trains, and equips cyberspace forces to conduct network defense, attack, and exploitation.
• Executes air force network operations, training, tactics, and management for the 24th Air Force and combatant commands.

688th Information Operations Wing

• Aims to deliver proven IO and engineering infrastructure capabilities integrated across air, space, and cyberspace domains.

689th Combat Communications Wing

• Trains, deploys and delivers expeditionary and specialized communications, air traffic control, and landing systems for Humanitarian Relief Operations and dominant combat operations.
• Conducts tactical operations in austere, deployed, and joint/coalition environments.

We prepared the above graphic along with a full explanation of DOD's Cyber Operations with the help of the U.S. Government Accountability Office for use in the 2nd edition of my book Inside Cyber Warfare: Mapping the Cyber Underworld (O'Reilly Media) when it's published later this year or early 2012.

Add to Cart View detail

Cybersecurity Issues with Predators, Reapers, and Unmanned Aerial Systems

Creech Air Force Base UAV hangars

According to Wired, Creech Air Force Base has been struggling to clean its Reaper and Predator Ground Control Stations (GCS) of a persistent virus of unknown origin; perhaps something like TDL-4 which loads before the operating system, right at the beginning of the computer's boot-up sequence. This type of virus is almost impossible to get rid of. Whether its TDL-4 or something with similar behaviors, I spent the last few days researching Unmanned Aerial Systems (UAVs plus their ground control stations) and there are a few serious cybersecurity issues besides the 2009 unencrypted video feed controversy and the one Noah Shachtman reported about last Friday. Before we get to those, I think it's important to note that while there are only a few countries (U.S., Israel, Britain, France) who are using drones operationally in Afghanistan, there are over 50 who have built or bought them. I wouldn't be surprised to see this technology near the top of someone's list for targeted cyber-espionage.

Unencrypted mission control data feeds
On 20 Dec 2009, shortly after the news broke about unencrypted Predator video feeds, a security engineer using the alias "kingcope" posted an article to the Full Disclosure list entitled "Reading Mission Control Data Out Of Predator Drone Video Feeds". He pointed out that not only was the line of sight transmission unencrypted, but so was the Ku-Band satellite transmission which extends the range of interception far beyond just line-of-sight and that if the MPEG stream wasn't encrypted, then the metadata inside the stream was probably being transmitted in the clear as well. Both the mission control data and the video stream data are part of the MPEG stream and could be read using a free tool called LEADTOOLS.

According to the Air Force, they've known about the unencrypted video feeds for over 10 years, and that it'll be 2014 before that vulnerability is fixed. Presumably that'll include the unencrypted mission control data feed as well.


Internet Access
There shouldn't be any connection between the UAS network and public-facing Internet however at least one GCS that I looked at did utilize an Internet connection as part of its architecture: the Network Centric Ground System.

I assume that the above network architecture was not deployed at Creech AFB since the GCS stations would be handling classified data however it would be worth a look at how Creech AFB has connected its Ground Control Stations to the Global Information Grid. The volume of data handled is growing at an extremely rapid pace as are the number of analysts who are viewing it according to the New York Times. With the deployment of "Gorgon Stare", an incredible 1.8 gigapixel camera offering 12 simultaneous views of the target environment, the UAV firehouse must be more massive than ever. Whatever has infected the Creech GCSs could theoretically spread beyond Creech AFB via the GIG. Let's assume that the point of entry was one of the portable hard drives used to load map updates and transport mission videos. Once in the network, its infection path could include printer servers and other shared resources regardless of geography. In other words, other Air Force bases who are conducting analysis on this data may be exposed to the same virus that the Creech technicians are struggling with.  This could include Britain's Royal Air Force whose 39 Squadron use Creech AFB as ground control for their own fleet of UAVs. I assume that the Brits are conducting their own analysis of the video feeds which would stream from Creech's GCS, thus providing a means for the virus to possibly infect British networks.

Why Kaspersky?
One of the nagging questions that I had after reading Noah's article was why would the Creech AFB technicians go to Kaspersky? DISA's Host-Based Security System website references McAfee as a supporting vendor, not Kaspersky. One of my Twitter followers suggested that they might be dealing with TDL-4, a particularly nasty TDSS variant that was originally detected by Kaspersky and which they've dubbed the "most sophisticated threat today". That might explain why the technicians turned felt they needed to visit the Russian company's site even though no one has a patch for this; not even Kaspersky. Based upon its description and functionality, a TLD-4 infection would be a worst-case scenario for the U.S. Air Force because it means that their data is being exfiltrated to cybercriminals in a way that's extremely hard to detect:

TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.

If it is TDL-4, no one has a way to remove it short of shit-canning the old hard drives and buying new ones. And speaking frankly, the Air Force appears to me to be a bit too relaxed about its vulnerabilities in cyberspace. It let its UAS data stream remain unencrypted for over 10 years because someone thought the enemy was too unsophisticated to know how to read it. Someone else apparently thought it was OK to make an exception on its removable media rule for UAV data transfer. And as far as its public response to this breaking story goes, a standard CYA response like the one Lt. Col. Tadd Sholtis gave - "We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover" - is pretty meaningless in light of past events. Then there's the remarks of an unidentified senior Air Force official for Fox News who claimed that Wired's entire story was over-blown:

"The planes were never in any jeopardy of 'going stupid'," the source said, and the virus "is not affecting operations in any way ... it showed up on a Microsoft-based Windows system. We have a closed-loop system and heavily protected cockpits -- the planes were never in jeopardy."

I have no idea who this un-named source is or what article he thinks he read but it wasn't the article in Wired. There's not a single mention of planes being in jeopardy or "going stupid" in Noah Shachtman's article. If he can't get his facts straight about what the article said, why should anyone believe his assessment of the malware? Having met and spoken with many USAF officers involved in cyber including some General officers, I know that the Air Force is capable of better cybersecurity management. Hopefully this breach will spur some positive changes before any more damage is done.

Add to Cart View detail