Cyber Incident Victim: United States Air Force
Date:
May 2019
Location:
United States of America
Summary
The US Air Force investigated a malware intrusion targeting its legal personnel involved in defending a Navy SEAL accused of war crimes, attributing the attack to Navy prosecutors. Malware designed to gain full computer access and track activity was discovered on an Air Force lawyer's devices, with similar malicious software sent to a military publication editor covering the trial. The code allegedly aimed to extract network IP addresses and identify potential document leaks related to the case, potentially constituting unauthorized criminal surveillance if proven intentional.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2019, the US Air Force initiated an investigation into a malware incident involving computers used by its legal personnel defending a US Navy SEAL in a war crimes trial. The malware, described as "tracking software," was discovered on the device of an Air Force Individual Military Counsel collaborating with Navy defense lawyers. According to a memo by US Navy Captain David Wilson, a senior defense attorney, the malware was designed to gain "full access to his computer and all files on his computer." The Air Force classified the incident as a cyber-intrusion, confiscating the affected computer and phone for forensic analysis. The context centered on legal proceedings against the SEAL, who faced charges related to actions in Afghanistan, with inter-service legal cooperation occurring under standard military practice.
Simultaneously, similar malware targeted the editor of the *US Navy Times*, a publication that had extensively covered the SEAL’s trial. Prosecutors suspected unauthorized document leaks due to the detailed reporting, prompting an email containing hidden code intended to extract the Navy Times network’s IP address and relay it to a server in San Diego. The *US Air Force Times* reported this as an apparent effort to identify journalistic sources, noting that such unauthorized surveillance would constitute a criminal offense under US law. The incident highlighted tensions between military legal teams and raised concerns about the weaponization of malware against domestic personnel and media entities during judicial processes. No additional technical specifics, containment measures beyond device seizures, or long-term impacts were disclosed in the available reporting.