Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:35 PM
Connect Directly

Hacker Exploits 2-Year Old Router Issue To Steal Sensitive US Military Data

A moderately skilled hacker managed to steal export-restricted data pertaining to the Reaper drone and Abrams tank from computers belonging to two US Army officials.

Sensitive US military documents, including training materials for the MQ-9A Reaper drone and an operations manual for the M1 Abrams tank, were recently available for sale on the Dark Web.

A single hacker with apparently moderate technical skills accessed one set of the leaked documents from the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, at the Creech AFB in Nevada, says intelligence firm Recorded Future. The data that was stolen included Reaper maintenance books and the list of airmen assigned to the military drone program at the base.

The source of the other document — pertaining to the M1 Abrams tank — is not clear. But it appears to be part of a larger set of military documents that the same hacker obtained from a separate computer belonging to a US Army official.  The second dataset included information on a training course for a tank platoon, documentation on mitigation tactics for an improvised explosive device, and a crew survival course. The documents, while not classified, contained sensitive, export-controlled data, according to Recorded Future in a report detailing its findings.

In both instances of data theft, the threat actor exploited a previously known issue with Netgear routers that allows remote attackers to access data on storage devices connected to the router if the default FTP authentication credentials are not updated. Recorded Future says its research shows more than 4,000 routers worldwide continued to be exposed to the issue — more than 1,430 of them in the US.

Researchers from Insikt Group, Recorded Future's threat intelligence team, established contact with the threat actor after coming across advertisements for the stolen data in underground forums in early June.  The individual — a newly registered, English-speaking member of a hacking forum — claimed he had used the Shodan search engine to search for and find Netgear routers that use a standard port 21 from which he could steal data.

"According to the actor, the data was stolen from two separate computers, and it was released within a week of each other," says Andrei Barysevich, director of advanced collection at Recorded Future. "In the case of the US Army captain, the hacker had access for a somewhat prolonged period. He lost access to the second computer within a day."

On days when the actor was not looking for victims, he watched live video footage from border surveillance cameras, airplanes, and a M1-1 Predator drone over Choctawhatchee Bay in the Gulf of Mexico, Recorded Future says. He used the same Shodan engine to search for unprotected Full Motion Video (FMV) streams as he did to find the vulnerable Netgear routers.

But unlike the case with the stolen data, the hacker shared access to the full-motion video streams for free, Barysevich says. "Not only was the actor able to access surveillance footage from drones but also from southern border checkpoints," he says. "Access to such streams could be invaluable for drug cartels and human traffickers."

The full ramifications of the data breaches are still unclear. But the fact that a hacker with average skills was able to identify military computers and steal sensitive information from them in a week's time is concerning, Recorded Future says. "[It] is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve," the vendor said.

That the threat actor exploited a 2-year-old vulnerability in Netgear routers suggests the sensitive military data was stored on a system connected to an unpatched or unmanaged wireless access point, says Sherban Naum, senior vice president of corporate strategy and technology at Bromium.

For the military, the question now is whether the documents were on a personal device or a government-issued computer. If the data was stored on a personal device, the question would be why the data was there in the first place. If the data was accessed from a government-issued computer, the question would be why it was connected to an unprotected network, Naum says.

Related Content:




Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/12/2018 | 8:32:36 AM
Re: Recalling Internet Census 2012 and Carna
All good points and add one more - the military complex generally (here we go) OUTSOURCES support to those wonderful firms such as Computer Sciences Corp (now CSRA for public accounts) and they are awful in every single way.  I know!  CSC destroyed Aon group after outsourced in 2004-2005 and to this day it is a horror.  Know nothing of security and their only concern per client is to GET PAID. 
User Rank: Ninja
7/11/2018 | 8:03:44 PM
Recalling Internet Census 2012 and Carna
I don't know how many folks remember Carna and the paper published based on its Internet scanning findings "Internet Census 2012: Port scanning /0 using insecure embedded devices", but this article calls to mind some my more radical ideas about "getting there first". Breaches like this are painful because they feel so simple to have prevented in the first place.

Consider (putting aside whatever your ideas of privacy currently are) what happened here. As a result of 1) lack of implemented security standards for networked hardware configuration, 2) failure to upgrade networked hardware and/or firmware, 3) failure to properly secure sensitive documents and streaming data and 4) research on a publicly accessible search engine for networked devices, what can be considered a critical military breach occurred.

For those who recall Carna, an Internet "researcher" ran a bot that scanned for all intents and purposes the entire Internet, collecting over 9TB of data on connected devices, including those with open access due to poor configuration. Back in 2011/2012 almost anyone could do this; especially with search engines like Shodan online, literally anyone can do this. In many cases, exploits are a question of who "gets there first". With so much publicly accessible data on hackable systems attached to the Internet, how is it on a daily basis the "good guys" aren't "getting there first" and closing the holes?

As I said, putting aside all opinions on privacy, breaches like this happen for really basic and stupid reasons. But with those opinions set to the side, what's to say the military can't also be sitting in front of Shodan and looking for its own networked devices that are in danger of being compromised? Whats to say hardened versions of Carna can't be running out of financial institutions and monitored 24/7 to help them harden networks, or from military bases globally to keep the random laptops from popping up, maybe on a U.S. military base in Kandahar, that have holes ready to exploit?

I've always been a proponent of combative security, and it seems natural to suggest that as easy as this breach was to commit, it could have been just as easy to prevent with the right people on the other side of it looking for the same thing as the cybercriminals, but "getting there first" thanks to using the same techniques.

But of course, these techniques are not legal in most contexts (not sure if it's a crime to RSS Shodan data, but that alone isn't really sufficient to arm yourself and your network against potential intruders), so until we can iron out that detail we may continuing seeing these breaches happen due to painfully simple failures in security protocol and executed in painfully simple and publicly accessible methods.
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting