According to popular mechanics Article published on Jul 12, 2018. Researchers at security firm Recorded Future have spotted a hacker selling sensitive documents about military drones
The files aren’t believed to be classified, but they contain markings indicating that their export outside of the United States is restricted, according to the report from Recorded Future’s Insikt Group. The documents include a cache of information relating to the MQ-9 Reaper drone, including training manuals and a list of Air Force personnel assigned to a Reaper maintenance unit.
“While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts,” the report warns.
Speaking to The Hill, the research firm Recorded Future (RF) says it is “100 per cent certain” that the documents relating to the sale are authentic.
Insikt Group made direct contact with the hacker, who responded. Over a period of weeks, the group was able to discern that the hacker, who remains anonymous, was able to hack a computer of the 432d Aircraft Maintenance Squadron’s Reaper Aircraft Maintenance Unit Officer In Charge (AMU OIC). Known as the 432nd Wing, the unit was the first in the military dedicated entirely to UAV operations. They’re based out of Creech Air Force Base in southern Nevada.
The hacker used the Shodan search engine, which can let users find specific types of computers around the globe, to find a weakness in the 432nd. After searching the globe for misconfigured routers that use a standard port 21, the hacker found the computer in Nevada.
The captain whose computer was hacked, Inskit notes, had recently completed a Cyber Awareness Challenge. Yet he did not set his computer’s FTP password, which allowed files like Reaper maintenance course books and the list of airmen assigned to Reaper AMU to slide easily into the hacker’s hands. This was, in Inskit’s words, a “rudimentary attack.”
The files aren’t classified, but they are generally only available to U.S. government agencies and their private contractors.
RF reached out to the Department of Homeland Security about the breach, the agency confirmed to The Hill. The Air Force is “aware of the reporting and there is an investigation into the incident.”
The military is a consistent target of hacking. Last year, U.S soldiers suddenly had their smartphone geolocation tools turned on without their consent. This action, it later turned out, was triggered by somebody in Moscow.
The second set of files apparently obtained by the same hacker, likely from a different compromised computer belonging to the Army or Pentagon, included IED defence manuals and an operations manual for the M1 Abrams tank.
Recorded Future analysts spotted the hacker offering the drone documents for sale on a hacker forum in early June. The company contacted the Department of Homeland Security, says Andrei Barysevich, director of the advanced collection at Recorded Future.
While sensitive data such as credit card numbers and other personally identifiable information is sometimes offered for sale on the Dark Web, it’s much less common to see military data for sale on underground hacking forums, Barysevich says. Remarkably, the hacker asked just “$150 or $200” for the drone files.
“Not only is it super low and super cheap, we’ve never seen documents of this magnitude being sold on the Dark Web,” he says.
The analysts believe the hacker, who they say is affiliated with an overseas private hacking group they declined to name citing the ongoing investigation, obtained the drone documents by exploiting a well-known vulnerability in certain Netgear routers. If login credentials aren’t changed from defaults when the devices are set up, hackers can connect to them to access data without permission. Vulnerable routers can be spotted with tools like Shodan, a popular internet-of-things search engine, Recorded Future warns.
“When we tried to replicate the same attack that he was doing, we identified more than 4,000 vulnerable systems,” says Barysevich. “We didn’t log in to any of them.”
After the company reported the issue to DHS, a vulnerable Air Force router was apparently secured, and the hacker complained the documents were no longer available. Barysevich says the hacker is believed to have been on a limited internet connection and not to have downloaded the full set of documents himself.
The tank and IED manuals are believed to have been found through a separate hack, and the hacker is also believed to have accessed sensitive drone and camera footage.