New research claims that a hacker tried to sell files on the MQ-9 Reaper drone on the dark web. According to research by threat intelligence company Recorded Future, the hacker harvested the documents from a US Air Force captain’s computer by exploiting a widely known security vulnerability in Netgear routers.
“On June 1, 2018, while monitoring criminal actor activities on the deep and dark web, Recorded Future’s Insikt Group identified an attempted sale of what we believe to be highly sensitive US Air Force documents,” a company blog disclosed. “Specifically, an English-speaking hacker claimed to have access to export-controlled documents pertaining to the MQ-9 Reaper unmanned aerial vehicle (UAV). Insikt analysts engaged the hacker and confirmed the validity of the compromised documents.”
Insikt Group analysts, who established and maintained direct contact with the hacker in the weeks following the initial advertisement, learned that a previously disclosed FTP vulnerability in Netgear routers was exploited to gain access.
In early 2016, several security researchers announced that Netgear routers with remote data access capabilities were susceptible to malicious attacks if the default FTP authentication credentials were not updated. While two years have passed since the vulnerability was first acknowledged, the problem remains widespread and more than 4,000 routers are still susceptible to the attack.
“Utilizing Shodan’s popular search engine, the actors scanned large segments of the internet for high-profile misconfigured routers that use a standard port 21 to hijack all valuable documents from compromised machines,” according to the report.
The hacker reportedly stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to a Reaper Aircraft Maintenance Unit (AMU) in which the USAF captain serves.
“While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircraft,” explains the report.
Aside from the Reaper drone files, the hacker also tried to sell another set of military documents. While this time the source was never disclosed, the analysts say that judging by the content, they appear to be stolen from the Pentagon or from a US Army official.
“More than a dozen various training manuals describe improvised explosive device defeat tactics, an M1 ABRAMS tank operation manual, a crewman training and survival manual, and tank platoon tactics. As with the previous documents, none represent classified materials, although most can be distributed to US government agencies and their contractors only.”
The analysts said they notified officials at the Department of Homeland Security (DHS) of their findings and that the hacker was ultimately blocked from selling the documents. It is unclear, however, if any of the data was copied or shared. A Homeland Security official confirmed to The Hill that Recorded Future reached out to the department about the incident. A spokesperson for the Air Force did not return a request for comment.