A poorly configured router allowed the theft of drone manuals, a list of maintainers, material on the Abrams tank, and more.
Until last week, you could have purchased one of the U.S. militaryâ€™s training manuals for the MQ-9 Reaper drone, along with a maintenance manual for the Abrams tank, a guide to defeating IEDs, and other sensitive materials, thanks to a hacker who put the stolen materials up for saleÂ online.
The theft and attempted sale were brought to light by cybersecurity and threat intelligence group Recorded Future, which published a report about the incident and is working with law enforcement personnel onÂ it.
Recorded Future officials said they got involved last week when they noticed a suspicious-looking online advertisement for the manuals, a list of airmen within a unit assigned to the droneâ€™s maintenance, and more. They contacted the thief, who said that he had hacked his way to the materials after an Air Force captain with the 432d Aircraft Maintenance Squadron at Creech Air Force Base in Nevada failed to properly set transfer protocol settings on his NETGEAR router, a widely-known vulnerability. The hacker used a search engine called Shodan that allows users to search unsecured Internet of Things devices and happened upon the captainâ€™s router by chance, whereupon they used the vulnerability to exfiltrate the docs from the captainâ€™s computer, includingâ€”awkwardlyâ€”his certificate of completion for Cyber Awareness ChallengeÂ training.
About a 40-minute drive from Las Vegas, Creech has served as the hub for drone operations over Afghanistan and Iraq since the early 2000s. It remains the U.S. militaryâ€™s most important remote drone pilotingÂ site.
â€śWhile such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts,â€ť notes Recorded Futureâ€™s report on the incident. Such materials are covered by trade restrictions. Their distribution is limited to military personnel andÂ contractors.
Itâ€™s not clear where the hacker acquired the non-drone-related files but they were from a different source within the military, says theÂ report.
The incident is hardly the first time user error has left military data exposed to hackers. Last year, a Booz Allen Hamilton contractor accidently left a cache of 60,000 sensitive files on a publicly accessible AmazonÂ server.
Recorded Future isnâ€™t disclosing the name or origin of the hacker but did say that he was an English speaker. Theyâ€™re currently helping law enforcement with an investigation. â€śWe cannot provide specific details, but we directly contacted [the Defense Security Service], which, to the best of our knowledge, handles this type of information for DoD. We also contacted several other government customers, but cannot go into the details of who that may be,â€ť the company told Defense One in anÂ email.
Defense One reached out to officials at Creech Air Force Base for comment. A public affairs officer told us that he had not heard about the breach before receiving reportersâ€™ calls on Tuesday who referred us late Tuesday to Air Force press operations. Weâ€™ll update when we hear back fromÂ them.Â