You can find all sorts of things for sale on the dark web: names, addresses and log-in credentials are common, but more sensitive information tends to be rare and expensive.
Insikt Group, part of security research firm Recorded Future, was surprised, then, to find a seller claiming to have ‘highly sensitive' information about the USA's MQ-9 Reaper military drone - for just $150.
Military documents tend to be one of those 'rare and expensive' propositions, so the offer could have been written off as a hoax. However, Insikt Group analysts confirmed the documents' validity after establishing contact, as well as learning how they were obtained.
The hacker told the analysts that s/he had exploited a known FTP vulnerability in Netgear routers. They used the Shodan search engine to scour the internet for high-profile vulnerable routers - of which there are still many, despite the flaw being exposed more than two years ago.
The attacker gained access to the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at a base in Nevada. Ironically, this individual had recently completed the Cyber Awareness Challenge, but had still failed to change the FTP password from its default setting.
Using the compromised router, the hacker was able to steal documents including Reaper maintenance course books and the list of airmen assigned to Reaper AMU. Although these aren't classified, they could still give an adversary an advantage in combat against the drone.
As well the Reaper manuals, the threat actor was also selling another set of military documents, apparently stolen from someone working at the Pentagon or in the US Army.
Insikt says that this second set included ‘more than a dozen various training manuals [describing] improvised explosive device defeat tactics; an M1 ABRAMS tank operation manual; a crewman training and survival manual; and tank platoon tactics'.
‘The fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week's time is a disturbing preview of what a more determined and organised group with superior technical and financial resources could achieve', the Group said.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment