Researchers at security firm Recorded Future have spotted a hacker selling sensitive documents about military drones, the company said in a report Wednesday.
The files aren’t believed to be classified, but they contain markings indicating that their export outside of the United States is restricted, according to the report from Recorded Future’s Insikt Group. The documents include a cache of information relating to the MQ-9 Reaper drone, including training manuals and a list of Air Force personnel assigned to a Reaper maintenance unit.
“While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts,” the report warns.
The MQ-9 Reaper has been widely used in Iraq and Afghanistan and has also been used by Customs and Border Protection for border surveillance.
A second set of files apparently obtained by the same hacker, likely from a different compromised computer belonging to the Army or Pentagon, included IED defense manuals and an operations manual for the M1 Abrams tank.
Recorded Future analysts spotted the hacker offering the drone documents for sale on a hacker forum in early June. The company contacted the Department of Homeland Security, says Andrei Barysevich, director of advanced collection at Recorded Future.
While sensitive data such as credit card numbers and other personally identifiable information is sometimes offered for sale on the Dark Web, it’s much less common to see military data for sale on underground hacking forums, Barysevich says. Remarkably, the hacker asked just “$150 or $200” for the drone files.
“Not only is it super low and super cheap, we’ve never seen documents of this magnitude being sold on the Dark Web,” he says.
The analysts believe the hacker, who they say is affiliated with an overseas private hacking group they declined to name citing the ongoing investigation, obtained the drone documents by exploiting a well-known vulnerability in certain Netgear routers. If login credentials aren’t changed from defaults when the devices are set up, hackers can connect to them to access data without permission. Vulnerable routers can be spotted with tools like Shodan, a popular internet-of-things search engine, Recorded Future warns.
“When we tried to replicate the same attack that he was doing, we identified more than 4,000 vulnerable systems,” says Barysevich. “We didn’t log in to any of them.”
After the company reported the issue to DHS, a vulnerable Air Force router was apparently secured, and the hacker complained the documents were no longer available. Barysevich says the hacker is believed to have been on a limited internet connection and not to have downloaded the full set of documents himself.
The tank and IED manuals are believed to have been found through a separate hack, and the hacker is also believed to have accessed sensitive drone and camera footage.
“During the Insikt Group analyst’s engagement with the actor, he professed that on days he was not hunting for his next victim, he entertained himself by watching sensitive live footage from border surveillance cameras and airplanes,” according to the report. “The actor was even bragging about accessing footage from a MQ-1 Predator flying over Choctawhatchee Bay in the Gulf of Mexico.”
UPDATE: In a statement emailed to Fast Company, Netgear senior product security manager Lisa Napier says the router vulnerability can be averted with an existing firmware update. “NETGEAR has previously released a firmware that fixes this issue,” she writes. “We ensure that remote services are disabled by default, and passwords are required to be configured during device setup.”