It seems to me that a more interesting question than "how did the malware get there?" is "why are they telling us that they found it?"
Presumably the default thing to do under these circumstances would be to shut up about it, so the fact that they're broadcasting it to the whole world must mean something. In any case I wouldn't take any of the details at face value -- e.g. do they really not have any idea where it came from, or are they feigning ignorance in the hopes of lulling their opponent into a false sense of security?
> “We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”
The end of the article says they asked for an official response and were stonewalled.
> The Air Force declined to comment directly on the virus. “We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach,” says Lt. Col. Tadd Sholtis, a spokesman for Air Combat Command, which oversees the drones and all other Air Force tactical aircraft. “We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.”
'The military' doesn't want anyone to know; some individuals inside do.
Or the military staff is leaking this to motivate the higher-up who green-lit the contract to exert some pressure, because they have unfortunately-little direct power themselves.
I don't think that is really an 'or' case. Either someone with authority to disclose makes an official statement or someone lacking that authority leaks it.
An unauthorized leak out of a secretive program disclosing a major vulnerability? That sounds very court-martialable. Especially considering the presumably small number of people who would know about it, and hence the high probability of the leaker getting caught, I find it hard to imagine anyone would risk it, let alone what their motivation for doing so would be. And especially not three different people.
Nope, I don't think the USAF leaks anything like this unless it means to.
They announced the big "jihad on all USB drives" back in 2009. There were factory shinkwrapped USB drives for sale on base which came pre-loaded with viruses; people would buy those, mark them as Secret, put them on SIPRnet, and then machines would be infected. It was lulztastic, actually.
I think once something hits a large enough scale, they announce it; it's the easiest way to communicate to the affected DoD community (military, contractors, etc.), at which point it is basically public knowledge.
The official comment about the incident from the story is:
“We generally do not discuss specific vulnerabilities, threats, or responses to our computer networks, since that helps people looking to exploit or attack our systems to refine their approach,” says Lt. Col. Tadd Sholtis, a spokesman for Air Combat Command, which oversees the drones and all other Air Force tactical aircraft. “We invest a lot in protecting and monitoring our systems to counter threats and ensure security, which includes a comprehensive response to viruses, worms, and other malware we discover.”
Presumably the default thing to do under these circumstances would be to shut up about it, so the fact that they're broadcasting it to the whole world must mean something. In any case I wouldn't take any of the details at face value -- e.g. do they really not have any idea where it came from, or are they feigning ignorance in the hopes of lulling their opponent into a false sense of security?