US military manuals hawked on dark web after files left rattling in insecure FTP server

Wow, so servicemen forget to change their default logins too

29 Got Tips?

Sensitive US Air Force documents have leaked onto the dark web as part of an attempted sale of drone manuals.

Threat intel firm Recorded Future picked up on an auction for purported export-controlled documents pertaining to the MQ-9 Reaper drone during its regular work monitoring the dark web for criminal activities last month. Recorded Future's Insikt Group analysts, posing as potential buyers, said they'd engaged the newly registered English-speaking hacker before confirming the validity of the compromised documents.

Further interactions allowed analysts to discover other leaked military information available from the same threat actor. The hacker claimed he had access to a large number of military documents from an unidentified officer.

These documents included a M1 Abrams tank maintenance manual, a tank platoon training course, a crew survival course, and documentation on improvised explosive device mitigation tactics.

Subsequent work revealed that this info was actually pulled from at least one and more likely a series of insecure File Transfer Protocol (FTP) servers. "The attacker used a widely known tactic of gaining access to vulnerable Netgear routers with improperly setup FTP login credentials," Recorded Future said.

Two years ago researchers warned that Netgear routers with remote data access capabilities were susceptible to attack if the default FTP authentication credentials were not updated. Despite the stretch of time, it's still a common issue. During its research, Recorded Future identified more than 4,000 routers susceptible to attack.

Dark web market drone ad

Exploitation was far from difficult. Utilising Shodan's machine data search engine, the hacker scanned large segments of the internet for high-profile misconfigured routers that use a standard port 21 to hijack all valuable documents from compromised machines.

The hacker first infiltrated the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech [Air Force Base] in Nevada, and stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper [Aircraft Maintenance Unit]. While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.

The captain, whose computer had seemingly been compromised recently, had completed a cybersecurity awareness course, but he did not set a password for an FTP server hosting sensitive files. This allowed the hacker to easily download the drone manuals, said the researchers. The precise source of other the other dozen or so manuals the hacker offered for sale remains undetermined.

"The source was never disclosed to Recorded Future. However, judging by the content, they appear to be stolen from the Pentagon or from a US Army official."

The hacker let slip that he was also in the habit of watching sensitive live footage from border surveillance cameras and airplanes. "The actor was even bragging about accessing footage from a MQ-1 Predator flying over Choctawhatchee Bay in the Gulf of Mexico."

Researchers identified the "name and country of residence" of an individual associated with a group it reckons is responsible for the illicit sale of US military manuals. Recorded Future has not identified the country responsible but said that it is continuing to "assist law enforcement in their investigation" of the trade in classified documents.

Early indications suggest a single hacker or small group of associates, rather than organised crime or state-sponsored hackers.

The military response teams will determine the exact ramifications of both breaches. However, the fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week's time is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve.

All sorts of bad stuff – including personal information – is hawked through dark web bazaars but classified material is seldom offered. Recorded Future said the latest case is almost unprecedented.

"It is not uncommon to uncover sensitive data like personally identifiable information, login credentials, financial information, and medical records being offered for sale on the dark web. However, it is incredibly rare for criminal hackers to steal and then attempt to sell military documents on an open market." ®

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

Russian FaceApp selfie-slurper poses 'potential counterintelligence threat', FBI warns

Feds tell senator that age-filter toy a possible security risk

Privacy Shield binned after EU court rules transatlantic data protection arrangements 'inadequate'

The spice data must flow (and it will – just through SCCs)

FBI extends voting security push, LA court hacker goes down, and more D-Link failures

Plus, Kaspersky opens doors on its intelligence portal admits it has not performed legally required data protection checks for COVID-19 tracing system

No evidence of data being used unlawfully, says health department

EU tries to get serious on cybercrime with first sanctions against Wannacry, NotPetya, CloudHopper crews

Russian, Chinese, Nork groups named in bank asset freeze

Remember the FBI's promise it wasn’t abusing the NSA’s data on US peeps? Well, guess what…

Turns out the Feds make the CIA and NSA actually look good

FBI softens stance on ransomware: it's (sort of) okay to pay off crims to get your data back

Feds OK that some companies are opening the checkbook

British Airways and Marriott UK data protection fines deferred again as coronavirus shutdown hits business

May and June are new due dates and neither firm is going down quietly

For the past five years, every FBI secret spy court request to snoop on Americans has sucked, says watchdog

Analysis Feeling secure? Sucker

Tech Resources

National / Industry / Cloud Exposure Report (NICER) 2020

Rapid7’s National / Industry / Cloud Exposure Report (NICER) for 2020 is the most comprehensive census of the modern internet. In a time of global pandemic and recession, the …

Simplifying Hybrid Cloud Flash Storage

According to industry analysts, a critical element for secure hybrid multicloud environments is the storage infrastructure.

Navigating the New Era of Cloud Computing

Hear from Steve Sibley, VP of Offering Management for IBM Power Systems about how IBM Power Systems can enable hybrid cloud environments that support “build once, deploy anywhere” options.

Deep Analytics: A New Way to Manage Unstructured Data

Create a virtual data lake to search, tag, and operate on all of your data across your enterprise.