Recorded Future Blog

Military Reaper Drone Documents Leaked on the Dark Web

By Andrei Barysevich on July 10, 2018

Scope Note: Initial analysis into the leak of sensitive military information regarding the MQ-9 Reaper unmanned aerial vehicle was initiated as the result of analysts monitoring criminal activity on deep and dark web forums and marketplaces. Direct threat actor interaction allowed Insikt Group analysts to discover other leaked military information available from the same threat actor. Once identified, searches in Recorded Future revealed the extent of the actor’s activities.

Executive Summary

On June 1, 2018, while monitoring criminal actor activities on the deep and dark web, Recorded Future’s Insikt Group identified an attempted sale of what we believe to be highly sensitive U.S. Air Force documents. Specifically, an English-speaking hacker claimed to have access to export-controlled documents pertaining to the MQ-9 Reaper unmanned aerial vehicle (UAV). Insikt analysts engaged the hacker and confirmed the validity of the compromised documents. Insikt Group identified the name and country of residence of an actor associated with a group we believe to be responsible. This analysis is available to our customers via Insikt’s blog. We continue to assist law enforcement in their investigation.

Key Judgements

Recorded Future identified a newly registered member of a hacking forum attempting to sell highly sensitive documents about the U.S. military MQ-9 Reaper drone.
Following the first incident, the threat actor acknowledged another breach involving a large number of military documents from an unidentified officer.
The documents contained a second dataset including the M1 Abrams maintenance manual, a tank platoon training course, a crew survival course, and documentation on improvised explosive device (IED) mitigation tactics.
Insikt Group analysts learned that the attacker used a widely known tactic of gaining access to vulnerable Netgear routers with improperly setup FTP login credentials.

Actor’s activity timeline in Recorded Future.

Background

Manufactured by General Atomics, the MQ-9 Reaper is regarded as one of the most advanced and lethal military technology commissioned in the past two decades. According to open sources, Reaper was first introduced in 2001 and is currently used by the U.S. Air Force, the U.S. Navy, the CIA, U.S. Customs and Border Protection, NASA, and the militaries of several other countries.

In 2006, then Chief of Staff of the United States Air Force General T. Michael Moseley said, “We’ve moved from using UAVs primarily in intelligence, surveillance, and reconnaissance roles before Operation Iraqi Freedom, to a true hunter-killer role with the Reaper.”

Reaper maintenance training documents stolen by the hacker.

Threat Analysis

It is not uncommon to uncover sensitive data like personally identifiable information (PII), login credentials, financial information, and medical records being offered for sale on the dark web. However, it is incredibly rare for criminal hackers to steal and then attempt to sell military documents on an open market.

Original advertisement posted on the dark web.

In the weeks following the initial advertisement, Insikt Group analysts established and maintained direct contact with the hacker, learning that a previously disclosed FTP vulnerability in Netgear routers was exploited to gain access. Utilizing Shodan’s popular search engine, the actors scanned large segments of the internet for high-profile misconfigured routers that use a standard port 21 to hijack all valuable documents from compromised machines.

Utilizing the above-mentioned method, the hacker first infiltrated the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada, and stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper AMU. While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.

The captain whose computer was compromised recently completed the Cyber Awareness Challenge and should have been aware of the required actions to prevent unauthorized access. In this case, setting the FTP password.

The Cyber Awareness Challenge certificate of completion.

Following his advertisement for the Reaper drone documents, the threat actor put yet another set of military documents up for sale. Unfortunately, this time the source was never disclosed to Recorded Future. However, judging by the content, they appear to be stolen from the Pentagon or from a U.S. Army official. More than a dozen various training manuals describe improvised explosive device defeat tactics, an M1 ABRAMS tank operation manual, a crewman training and survival manual, and tank platoon tactics. As with the previous documents, none represent classified materials, although most can be distributed to U.S. government agencies and their contractors only.

Convoy risk mitigation procedures described in the IED manual.

During the Insikt Group analyst’s engagement with the actor, he professed that on days he was not hunting for his next victim, he entertained himself by watching sensitive live footage from border surveillance cameras and airplanes. The actor was even bragging about accessing footage from a MQ-1 Predator flying over Choctawhatchee Bay in the Gulf of Mexico.

Screenshot of the aircraft video footage showcased by the hacker.

Technical Analysis

In early 2016, several security researchers publicly announced that Netgear routers with remote data access capabilities were susceptible to malicious attacks if the default FTP authentication credentials were not updated. Despite it being two years since the vulnerability was first acknowledged, the problem remains widespread. During our recent research, Recorded Future identified more than 4,000 routers susceptible to the attack.

Shodan scan results with more than 4,000 potentially vulnerable systems identified.

As Netgear previously reported, the steps described below are sufficient to protect the device from malicious attacks.

Launch an internet browser from a computer or wireless device that is connected to the network.
Type in http://www.routerlogin.net or http://www.routerlogin.com. A login screen will display.
The user name is admin. The default password is password. However, to prevent unauthorized access, make sure to update the password by using a random combination of letters, numbers, and symbols. The user name and password are case sensitive.
Select ADVANCED > USB Functions > ReadySHARE Storage.
Select FTP.
Click Apply.

Netgear FTP credentials setup process.

Outlook

As current compromises have shown, even those who should be adept to common security hygiene practices are not immune to rudimentary attacks, resulting in incidents with dire consequences. Although private industries have really stepped up their security efforts in recent years, investing heavily both in the infrastructure and workforce education, the government is consistently lagging behind when it comes to the security training of its employees and protection of state secrets. Sadly, very few understand the importance of properly securing wireless access points (WAP), and even fewer use strong passwords and understand how to spot phishing emails.

The military response teams will determine the exact ramifications of both breaches. However, the fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week’s time is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve.