Documents containing sensitive information regarding the US military’s MQ-9 Reaper drone have been made available on the dark web in a highly unusual security breach.

Documents relating to the Reaper drone, including maintenance manuals and a list of airmen assigned to the unit tasked with maintaining the drones, were made available for sale on the dark web.

Insikt Group, the cybersecurity research arm of Recorded Future, discovered the breach and was able to make contact with the hacker responsible to discover how he had obtained the documents. The analysts found that the documents had been obtained by hacking the computer of a captain at the 432d Aircraft Maintenance Squadron Reaper AMU OIC, a maintenance unit based in Nevada.

The hacker had gained access using a widely known method involving vulnerable Netgear routers and improperly setup FTP login credentials, indicating the unnamed captain had not fully followed recommended security protocols.

Reaper drone breach

The advert about the Reaper drone data posted on the dark web (via Recorded Future)

How has the Reaper drone leak impacted US security?

The leak is extremely unusual, and will no doubt be the subject of an internal review within the US military.

“It is not uncommon to uncover sensitive data like personally identifiable information (PII), login credentials, financial information, and medical records being offered for sale on the dark web,” wrote Andrei Barysevich, Recorded Future’s director of advanced collection and dark web expert, in a report into Insikt Group’s findings.

“However, it is incredibly rare for criminal hackers to steal and then attempt to sell military documents on an open market.”

While the data is not classified, it would be of value to an enemy force, providing insight into the Reaper drone’s weaknesses and capabilities.

The MQ-9 Reaper drone is considered one of the most lethal and advanced pieces of military technology produced in decades. It is not only used by the US Customs and Border Protection, US Air Force, US Navy, NASA and the CIA, but also by several other countries’ armed forces.

The threat actor may have also hacked the Pentagon

The hacker – also known as a threat actor – also put documents up for sale that Recorded Future believes were either stolen from a US Army official or the Pentagon.

These included an array of training manuals covering tactics on defeating improvised explosive devices, the operation of specific tanks, tank platoon tactics and crewman survival and training. Once again, while not classified, these are sensitive documents that could prove invaluable to a committed enemy.

3 Things That Will Change the World Today

A “disturbing preview” of security risks to US miltiary

The hacker also demonstrated the ability to gain access to other drone footage. He bragged to an Insikt Group analyst about watching sensitive live footage from border surveillance cameras, drones and aeroplanes, and even shared footage he had accessed.

There will likely be considerable efforts made to catch the hacker threat actor and ensure similar breaches do not happen in the future.

“The military response teams will determine the exact ramifications of both breaches,” wrote Barysevich.

“However, the fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week’s time is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve.”

Insikt Group has identified the name and country of residents of the suspected threat actor, and is providing assistance to law enforcement.

Reaper drone breach

Footage posted by the hacker from a US military aircraft (via Recorded Future)

The Netgear vulnerability vital to the attack

Central to the leak of Reaper drone data was a well-known vulnerability to routers made by Netgear.

First identified in 2016, the vulnerability concerns the ability to access data fed through the router remotely. When sending data through FTP – short for file transfer protocol, a common way to send large files between computers – if the credentials are not updated, the router is open to attack from threat actors such as the attacker.

In this case, the hacker was able to find the router through Shodan, a search engine for Internet-connected devices that is popular with security professionals. Once they had gained access to the router, they could connect to the computer of the unnamed captain and access the files.

However, if the captain had updated the FTP credentials, the hacker would not have been able to gain access, and so the breach would not have occurred.

“The captain whose computer was compromised recently completed the Cyber Awareness Challenge and should have been aware of the required actions to prevent unauthorized access,” explained Barysevich. “In this case, setting the FTP password.”

For anyone handling any form of sensitive data, it is a vital reminder of how important basic security practices can be.