A member of a dark web hacking forum reportedly attempted to sell documents stolen from U.S. military personnel, including files corresponding to the deadly drone known as the MQ-9 Reaper unmanned aerial vehicle (UAV).
Following a series of undercover interactions, members of Recorded Future’s Insikt Group research team confirmed the authenticity of the highly sensitive — but not classified — materials, the threat intelligence company notes in a July 11 blog post. They also identified the name and country of residence of a key actor associated with the group believed to be responsible for the would-be transaction. Recorded Future is now actively assisting law enforcement in an ongoing investigation.
“It is not uncommon to uncover sensitive data like personally identifiable information (PII), login credentials, financial information, and medical records being offered for sale on the dark web. However, it is incredibly rare for criminal hackers to steal and then attempt to sell military documents on an open market,” wrote author Andrei Barysevich, Recorded Future’s director of advanced collection, in the blog post.
Insikt Group members discovered the illicit activity on June 1 while patrolling dark web forums. Specifically, they encountered an English-speaking hacker offering export-controlled military documents, including a maintenance course book for the Reaper, as well as a list of airmen assigned to the 432nd Aircraft Maintenance Squadron’s Reaper aircraft maintenance unit at Creech Air Force Base in Nevada. An image of the maintenance course book that’s included within the blog post specifically shows that the document says the information contained within is “for training use only” and should not be shared to another nation.
According to Recorded Future, the threat actor stole the documentation from the computer system of a squadron captain whose Netgear router was susceptible to a known two-year-old File Transfer Protocol (FTP) bug. This vulnerability cannot be exploited if the router’s default FTP authentication credentials are updated, but the official apparently never established a new password, despite completing an Air Force Cyber Awareness Challenge as recently as last February.
Barysevich noted that the threat actor used Shodan’s search engine specifically to scan “large segments of the internet for high-profile misconfigured routers that use a standard port 21,” in order to “hijack all valuable documents from compromised machines.”
A second breached dataset offered by the actor — assessed to have possibly been stolen from a Pentagon officer or U.S. Army official — included a maintenance manual for an M1 Abrams tank, a tank platoon training course, a crew survival course, and a manual for handling improvised explosive devices (IEDs), including convoy risk mitigation procedures.
In his interactions with Recorded Future, the hacker even admitted to gaining access to — and viewing for enjoying — footage from border surveillance cameras and an MQ-1 Predator drone.
“The military response teams will determine the exact ramifications of both breaches,” Barysevish concluded. “However, the fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week’s time is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve.”