On June 1st, Recorded Future’s Insikt Group uncovered an attempt to sell US MQ-9 Reaper unmanned aerial vehicle (UAV) documents on the Dark Web. The US Air Force limits the distribution of these documents. Insikt Group made contact with the seller. The researchers were able to confirm the validity of the documents.
The investigation didn’t stop there. Further conversations with the hacker revealed documents stolen in a separate attack from an unidentified US military officer. Insikt Group tracked and identified the hacker along with the group he or she belongs to. US law enforcement is now using the data to take further action.
What documents were on offer?
The hacker was offering multiple documents for sale including the MQ-9 Reaper manual for between $150-$200. The list Insikt Group uncovered includes:
- MQ-9 Reaper maintenance manuals
- a list of airmen assigned to the Reaper Advanced Maintenance Unit (AMU)
- M1 Abrams maintenance manual
- a tank platoon training course on tactics
- tank crew survival course
- manuals on improvised explosive device (IED) mitigation tactics.
While all of the documents are restricted, a quick search of the web turned up some of them as openly available elsewhere. This is not as unusual as many might imagine.
Websites dedicated to military equipment often post copies of manuals and training materials. Car maintenance manual publisher Haynes offers its own M1 Abrams manual for purchased over the counter (how many people have an M1 Abrams in their garage and the practical need for such a document?). In addition, platoon training course notes circulate in many military-interest groups.
Of all the documents here, it will be the list of personnel which will raise the most serious concerns. The US Air Force regularly warns its drone units, and especially pilots, they are potential terrorist targets. It would not be difficult to take that list of personnel and identify where they lived off base.
How were the documents obtained?
This is another hack using a previously disclosed security vulnerability. In this case it came down to an FTP vulnerability in Netgear routers dating from 2016.
The Insikt Group used the Shodan search engine and identified over 4,000 other misconfigured routers. It is a simple 6-step procedure from Netgear to fix the routers. That so many are still vulnerable means that message is not getting to users.
The MQ-9 Reaper documents and list of personnel were stolen from a US Air Force captain. He is the OIC for the 432d Aircraft Maintenance Squadron based at the Creech AFB in Nevada. In February 2018, he had completed the US Air Force Cyber Awareness Challenge. This course deals with using passwords to protect FTP access to devices.
Insikt Group says it never obtained the source for the second cache of documents. It speculates they came either from the US Army or the Pentagon.
What does this mean
Another day, another leak of military data and, once again, all due to poor cyber security. The future of the US Air Force Captain at the heart of the MQ-9 Reaper link is now questionable. His training means he should have known better. The US Air Force will want to know what else might have ‘disappeared’.
The headline story is the MQ-9 Reaper documents and the personnel list. The bigger story is the scale of unpatched routers. This is the more important because two years after a fix became available, many remain vulnerable.
It matters that users see this story, and understand. Netgear – and most other device manufacturers – need a better way of managing or updating the hardware they sell.