Sensitive US military documents, including training materials for the MQ-9A Reaper drone and an operations manual for the M1 Abrams tank, were recently available for sale on the Dark Web.
A single hacker with apparently moderate technical skills accessed one set of the leaked documents from the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, at the Creech AFB in Nevada, says intelligence firm Recorded Future. The data that was stolen included Reaper maintenance books and the list of airmen assigned to the military drone program at the base.
The source of the other document — pertaining to the M1 Abrams tank — is not clear. But it appears to be part of a larger set of military documents that the same hacker obtained from a separate computer belonging to a US Army official. The second dataset included information on a training course for a tank platoon, documentation on mitigation tactics for an improvised explosive device, and a crew survival course. The documents, while not classified, contained sensitive, export-controlled data, according to Recorded Future in a report detailing its findings.
In both instances of data theft, the threat actor exploited a previously known issue with Netgear routers that allows remote attackers to access data on storage devices connected to the router if the default FTP authentication credentials are not updated. Recorded Future says its research shows more than 4,000 routers worldwide continued to be exposed to the issue — more than 1,430 of them in the US.
Researchers from Insikt Group, Recorded Future’s threat intelligence team, established contact with the threat actor after coming across advertisements for the stolen data in underground forums in early June. The individual — a newly registered, English-speaking member of a hacking forum — claimed he had used the Shodan search engine to search for and find Netgear routers that use a standard port 21 from which he could steal data.
“According to the actor, the data was stolen from two separate computers, and it was released within a week of each other,” says Andrei Barysevich, director of advanced collection at Recorded Future. “In the case of the US Army captain, the hacker had access for a somewhat prolonged period. He lost access to the second computer within a day.”
On days when the actor was not looking for victims, he watched live video footage from border surveillance cameras, airplanes, and a M1-1 Predator drone over Choctawhatchee Bay in the Gulf of Mexico, Recorded Future says. He used the same Shodan engine to search for unprotected Full Motion Video (FMV) streams as he did to find the vulnerable Netgear routers.
But unlike the case with the stolen data, the hacker shared access to the full-motion video streams for free, Barysevich says. “Not only was the actor able to access surveillance footage from drones but also from southern border checkpoints,” he says. “Access to such streams could be invaluable for drug cartels and human traffickers.”
The full ramifications of the data breaches are still unclear. But the fact that a hacker with average skills was able to identify military computers and steal sensitive information from them in a week’s time is concerning, Recorded Future says. “[It] is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve,” the vendor said.
That the threat actor exploited a 2-year-old vulnerability in Netgear routers suggests the sensitive military data was stored on a system connected to an unpatched or unmanaged wireless access point, says Sherban Naum, senior vice president of corporate strategy and technology at Bromium.
For the military, the question now is whether the documents were on a personal device or a government-issued computer. If the data was stored on a personal device, the question would be why the data was there in the first place. If the data was accessed from a government-issued computer, the question would be why it was connected to an unprotected network, Naum says.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio