A hacker has penetrated an Air Force captain’s computer to steal sensitive information about U.S. military drones and other state secrets, according to a cybersecurity firm’s investigation of dark web activities.
On June 1, Recorded Future’s Insikt Group was monitoring underground criminal activity when it identified a newly registered member of a hacking forum, attempting to sell highly sensitive documents about the U.S. military MQ-9 Reaper drone. Given that it’s incredibly rare for criminal hackers to attempt to sell military documents on an open market, the firm looked into the offering further. It was able to contact the hacker and verify the veracity of the documents, opening up a further dialog with the perpetrator.
In doing so, it uncovered the actor’s tactics: He or she exploited vulnerable Netgear routers with improperly setup FTP login credentials to gain access to an unidentified officer’s information.
In an analysis of the hack published Tuesday, Recorded Future said that the bad actor used the Shodan search engine to scan large segments of the internet for Netgear DGN2200v4 modem routers with weak passwords that use a standard, open port 21. From there, thanks to a command execution and FTP insecure root directory security vulnerability, hackers who have an unpatched router’s administrative password can inject OS commands that can be used to backdoor the router. They can then use that access to intercept network traffic flowing through it, including file attachments.
It’s a sadly all-too-common opening: Despite it being two years since the Netgear vulnerability was first acknowledged, the problem remains widespread, the firm said. During recent research, Recorded Future identified more than 4,000 routers susceptible to the attack.
Recorded Future went on to say that the hacker used this tactic to infiltrate the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada. There, he or she “stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper AMU,” the form noted. It added, “While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.”
Aside from the drone information, the actor also revealed that he or she is in possession of a second dataset, including “the M1 Abrams maintenance manual, a tank platoon training course, a crew survival course and documentation on improvised explosive device (IED) mitigation tactics,” according to Recorded Future. While the source isn’t known, these appear to be stolen from the Pentagon or from a U.S. Army official, the firm said.
“The fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week’s time is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve,” Recorded Future said.
The exfiltration of such sensitive military secrets is not as uncommon as one would hope. This latest news comes on the heels of a revelation last month that an unidentified hacker trying to sell purported U.S. military documents containing submarine warfare information. The stolen data included “secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020,” American officials said.
“Modern warfare is inherently dependent upon computing, from drones, to missiles, to communications with troops on the ground,” said Tom Kellermann, chief cybersecurity officer at Carbon Black, via email. “Nation-states like China, Russia, Iran and Syria are escalating their cyberattacks against U.S. personnel through cyberspace. This breach represents an ominous trend of unmasking those who man the tip of America’s spear – drone pilots of the U.S. Air Force. The DoD must modernize its cybersecurity posture given the rapid evolution and coordination of enemies in cyberspace.”
Aside from illustrating a pervasive problem in the level of government security hygiene, this latest incident also points out potentially poor judgement on a more individual level.
“Does the USAF use Wi-Fi connected to their NIPRNet?/ DoDIN? I have to believe the answer is a definitive no. As such, it may have been the case someone had the documents on an off-premise device connected to a home or other open Wi-Fi network,” Sherban Naum, senior vice president of corporate strategy and technology at Bromium, told Threatpost via email. “The idea that it was a two-year-old vulnerability and not patched tells me it may have been a personal Wi-Fi access point left unmanaged/unpatched.”
While preventing unauthorized data movement and extraction is a challenge for the DoD, simply due to the vast number of users, contractors and programs at play, there are some best practices to follow, Naum added. For one, the main mitigation for the Netgear hack is simple: Changing the router’s administrative password.
Also, “high-value asset (HVA) consolidation is a key movement within the DoD, with Ron Ross at NIST leading the discussions,” he explained. “By securing DoD HVAs, they can then focus on connections into the HVA, limiting access and attesting both the device and user prior to allowing them onto the HVA fabric. By limiting access to and controlling data flow from the HVA to the user’s local device, the DoD can limit the amount of data loss.”
Image courtesy of the Department of Defense.