The MQ-9 Reaper, Joint Base Elmendorf-Richardson, Alaska.

The MQ-9 Reaper, Joint Base Elmendorf-Richardson, Alaska. U.S. Air Force photo by Airman 1st Class Haley Stevens)

Hacker Caught Selling Maintenance Manuals for Military Drones

A poorly configured router allowed the theft of drone manuals, a list of maintainers, material on the Abrams tank, and more.

Until last week, you could have purchased one of the U.S. military’s training manuals for the MQ-9 Reaper drone, along with a maintenance manual for the Abrams tank, a guide to defeating IEDs, and other sensitive materials, thanks to a hacker who put the stolen materials up for sale online.

The theft and attempted sale were brought to light by cybersecurity and threat intelligence group Recorded Future, which published a report about the incident and is working with law enforcement personnel on it.

Recorded Future officials said they got involved last week when they noticed a suspicious-looking online advertisement for the manuals, a list of airmen within a unit assigned to the drone’s maintenance, and more. They contacted the thief, who said that he had hacked his way to the materials after an Air Force captain with the 432d Aircraft Maintenance Squadron at Creech Air Force Base in Nevada failed to properly set transfer protocol settings on his NETGEAR router, a widely-known vulnerability. The hacker used a search engine called Shodan that allows users to search unsecured Internet of Things devices and happened upon the captain’s router by chance, whereupon they used the vulnerability to exfiltrate the docs from the captain’s computer, including—awkwardly—his certificate of completion for Cyber Awareness Challenge training.

About a 40-minute drive from Las Vegas, Creech has served as the hub for drone operations over Afghanistan and Iraq since the early 2000s. It remains the U.S. military’s most important remote drone piloting site.

“While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts,” notes Recorded Future’s report on the incident. Such materials are covered by trade restrictions. Their distribution is limited to military personnel and contractors.

It’s not clear where the hacker acquired the non-drone-related files but they were from a different source within the military, says the report.

The incident is hardly the first time user error has left military data exposed to hackers. Last year, a Booz Allen Hamilton contractor accidently left a cache of 60,000 sensitive files on a publicly accessible Amazon server.

Recorded Future isn’t disclosing the name or origin of the hacker but did say that he was an English speaker. They’re currently helping law enforcement with an investigation. “We cannot provide specific details, but we directly contacted [the Defense Security Service], which, to the best of our knowledge, handles this type of information for DoD. We also contacted several other government customers, but cannot go into the details of who that may be,” the company told Defense One in an email.

Defense One reached out to officials at Creech Air Force Base for comment. A public affairs officer told us that he had not heard about the breach before receiving reporters’ calls on Tuesday who referred us late Tuesday to Air Force press operations. We'll update when we hear back from them.