Hacker steals sensitive Reaper drone documents and selling them for $150 on the dark web

A lone hacker managed to gain access to the computer of a US Air Force official and steal sensitive documents pertaining to the MQ-9 Reaper unmanned aerial vehicle (UAV). The Reaper drone was first introduced in 2001 and is considered to be one of the most advanced military technology in decades.

The US Air Force, Navy, the CIA, Nasa and the US Customs and Border Protection agency all currently use the Reaper drone. Military organizations of several other nations also currently use the drone. Meanwhile, the US Air Force has progressed from using the Reaper solely in surveillance and reconnaissance missions to a “hunter-killer role.”

Hacker selling Reaper drone data for $150

The hacker is reportedly selling the sensitive data for a mere $150 on the dark web, indicating that he may not be aware of the true value of the stolen documents.

“I’ve been personally investigating the dark web for almost 15 years, and this is the first time I’ve uncovered documents of this nature,” Andrei Barysevich, director of advanced collection at Recorded Future, told the Daily Beast. “This type of document would typically be stolen by nation-state hackers. They wouldn’t be offering it on the dark web, and certainly not for $150.”

Modus operandi

Security researchers at Recorded Future, who discovered the US military documents listed on the dark web, were able to confirm the validity of the documents. The researchers reported the hacker exploited a previously disclosed FTP vulnerability in Netgear routers to gain access.

“It is not uncommon to uncover sensitive data like personally identifiable information (PII), login credentials, financial information, and medical records being offered for sale on the dark web. However, it is incredibly rare for criminal hackers to steal and then attempt to sell military documents on an open market,” Recorded Future researchers wrote in a blog.

Although the flaw was disclosed in 2016, researchers discovered that over 4,000 Netgear routers are still vulnerable to FTP attacks. In fact, the hacker is reportedly still exploiting the flaw tot target entities in other industries, harvesting more sensitive data.

“He’s consistently posting various data sets for sale… Oil and gas industry, health care, cryptocurrencies,” Barysevich added. “He’s still accessing systems pretty much on a daily basis.”

What did the hacker steal?

The researchers discovered connections between the hacker and a known threat group, indicating that the hacker may have help from the group.

The attackers used Shodan to scan the internet for misconfigured routers of high-profile targets that used port 21 tot steal documents from compromised systems.

Researchers said that the hacker “professed that on days he was not hunting for his next victim, he entertained himself by watching sensitive live footage from border surveillance cameras and airplanes. The actor was even bragging about accessing footage from a MQ-1 Predator flying over Choctawhatchee Bay in the Gulf of Mexico.”

The hacker managed to gain access to the computer of “ a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada”. This allowed the hacker to steal sensitive documents, including Reaper maintenance course books.

The hacker also managed to obtain M1 Abrams maintenance manual, tank platoon training and crew survival course materials and documentation pertaining to improvised explosive device (IED) mitigation tactics. Researchers suspected that these documents were stolen from an official working at either the Pentagon or the US Army.

“While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts,” Recorded Future researchers noted.

However, the vulnerable system that the hacker managed to access appears to have been secured.

"Pretty much immediately after we reached out to law enforcement and passed information to the airforce, he deleted the advertisement saying he lost access to the vulnerable system," Barysevich told Wired.

Cyber-aware but cyber-slack

The captain whose computer was compromised by the hacker had recently completed the Cyber Awareness Challenge and should ideally have known what to set an FTP password to prevent unauthorized access, researchers noted.

“The military response teams will determine the exact ramifications of both breaches,” the researchers said. “However, the fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week’s time is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve.”