Conficker Worms Its Way Into Afghan Mission Network

April 27, 2011
By George I. Seffers, SIGNAL Online Exclusive
E-mail About the Author

(This is the first in a series of online and print reports by SIGNAL Magazine Technology Editor George I. Seffers while embedded with NATO forces in Afghanistan.)

Communicators quickly cure warfighting connections of computer virus.

The Conficker computer virus, which was first detected in 2008, reared its ugly head last week in Afghanistan, where it was detected on the Afghan Mission Networkthe network NATO and coalition forces use to fight the war.

“We had an older virus that showed up on the network, and when that older virus was discovered, we immediately isolated it, protected the rest of the network, identified what we needed to do, and in about five hours, everybody was operating normally again,” says Col. Derek Orndorff, USA, the communications director for the International Security Assistance Force (ISAF) Joint Command in Kabul, Afghanistan. “It was the Conficker worm. It was a success story from our perspective because our tools picked it up, we identified it, we protected the entire network, and we were able to defeat the challenge relatively quickly and get back to business instead of letting it become debilitating to us.”

Conficker exploits vulnerabilities in Microsoft operating systems and can be used to link together multiple computers and control them remotely. Different versions have been detected and can use a variety of attack methods. Experts say millions of computers around the world have been infected, but Microsoft issued a security patch in 2008.

The Afghan Mission Network (AMN) was created to allow NATO and coalition nations in Afghanistan to seamlessly share secret-level information on the battlefield. It uses NATO’s ISAF Secret Network at its core, and through a series of network interconnection points, allows other nations to tie in their own individual networks. U.S. forces, for example, connect to AMN via the Combined Enterprise Regional Information Exchange System (CENTRIXS), which is where the virus first appeared. Col. Orndorff says the cyber forensics team is studying the incident to determine how Conficker was introduced. 

With the support of NATO’s Consultation, Command and Control Agency, AMN went from concept to initial operating capability within about nine months. NATO recently approved funding for improved network operation capabilities for better visibility across the network, for better security and for other AMN improvements that will provide a fully operational capability.

“There was a conglomeration of networks on the battlefield. There were all these different networks roaming around, but nobody was really cross-communicating. Nobody was really sharing information. That was no way to accomplish a mission, and that’s why we needed AMN.”

 Col. Orndorff credits network transparency for helping to quickly stamp out Conficker. “AFN is a very open and flat network, so if a user on an ISAF machine wants to see something on the United Kingdom Overtask [network], there’s no login, no firewalls, no certificates, no passwords. There’s nothing. What that means is that everyone who is part of the network has a shared vulnerability. Everybody shares the same risks. So therefore, when we have challenges, we have to have transparency between all the different parts and pieces or you’re going have problems with it,” he explains. Without that transparency, CENTRIXS network operators could have chosen to remain mum about the Conficker vulnerability, which would have allowed it to spread. “This incident was a perfect example of why this is so successful, because everybody understands where their piece is in this so we can all work together.”

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.