A sensitive training manual for the U.S. military’s lethal MQ-9 Reaper UAV was put up for sale on an underground marketplace last month, after a hacker plucked it from an Air Force captain’s home network using a default password.
But despite an asking price of only $150, nobody was interested. “I’ve been personally investigating the dark web for almost 15 years, and this is the first time I’ve uncovered documents of this nature,” says Andrei Barysevich, director of advanced collection at Recorded Future. “This type of document would typically be stolen by nation-state hackers. They wouldn’t be offering it on the dark web, and certainly not for $150.” Developed by General Atomics, the $64 million MQ-9 Reaper is the heavily-armed follow-on to the Predator drone, capable of dropping laser-guided bombs and Hellfire missiles on a target from an altitude of 50 thousand feet. In its unarmed configuration it’s been used by DHS for border surveillance and NASA for weather studies. The stolen Reaper training manual was titled “MQ-9A Reaper Block 5 (UHK97000-15) RPAMaintenance Event 1 Delta Training.” It was unclassified, but the cover bore a lengthy admonishment on safe handling.
“This information is furnished upon condition that it will not be released to another nation without the specific authority” of the Air Force, the cover reads. “[T]he recipient will report promptly to the United States, any known or suspected compromises.” The document, and others like it, was pilfered from the home network of an Air Force captain in the 432d Aircraft Maintenance Squadron at Creech Air Force Base in Nevada, says Barysevich. A spokesperson for the squadron did not immediately respond to an inquiry from the Daily Beast on Tuesday. Barysevich says he spotted the manual for sale on a dark web forum in early June. Posing as a potential buyer, he struck up a conversation with the seller, who turned out to be part of a small hacking crew based in South America that specializes in low-hanging fruit. Armed with some rudimentary knowledge and an Internet-of-things search engine called Shodan, the hackers learned to exploit a feature in some Netgear home routers that allow a user to attach an external USB drive and load it up with documents, videos or music that they want to share across their home network. An extra option called the “Personal FTP Server” also makes the files accessible over the public Internet, so the user can fetch them from work or while traveling.If the user switches the Personal FTP Server option on, and doesn’t explicitly set a password for the server, all their shared files are left wide open to anybody who logs in as “anonymous,” with no password required — a mistake evidently made by the Air Force captain. “We reported this to DHS and various law enforcement agencies, and they forwarded the information to the U.S. Air Force,” says Barysevich.
In 2016, security experts warned that naive Netgear users were unknowingly exposing their private files to the world in this way. Netgear dismissed it as a non-issue, pointing out that the router’s manual includes clear instructions on adding a password. Two years later, Shodan shows that some 4,000 Netgear routers are wide open, down from 6,000 in 2016.
Reached by the Daily Beast, Netgear said it released a firmware update in 2016 that added a password by default. “Netgear has previously released firmware that fixes this issue,” says Lisa Napier, senior product security program manager. “We ensure that remote services are disabled by default, and passwords are required to be configured at device setup.”
Security expert and blogger Robert Graham of Errata Security says it’s ultimately the user’s responsibility to keep their home networks up to date. “What percentage of users ever look at their routers after setting them up?” says Graham. “In the security industry, almost nobody keeps up to date on security advisories for their routers, have verified the configuration is safe, or have updated the firmware.”In addition to the Reaper maintenance course books, the hacker pilfered a list of airmen assigned to the Reaper maintenance unit at Cree AFB. From other open routers he obtained an assortment of tactical training manuals, and an operations manual for the M1 Abrams tank.While nobody was interested in the hacker’s military offerings, “he was selling other information,” says Barysevich. “He’s consistently posting various data sets for sale… Oil and gas industry, health care, cryptocurrencies… He’s still accessing systems pretty much on a daily basis.”