Security researchers recently detected the sale of sensitive information on the United States' MQ-9 Reaper unmanned aerial vehicle and other military secrets on the Dark Web. The hacker who put up such information for sale gained access to it by exploiting the lack of FTP-protection in Netgear routers used by military personnel.
The sale of sensitive US military secrets on the Dark Web was detected by researchers from Recorded Future’s Insikt Group last month while scanning the Dark Web for potential criminal activities. While the sale of training manuals and weapon specifications isn't very significant considering that such information can be found on the Internet as well, the fact that a hacker had secret information on the Reaper UAV in his possession will surely raise eyebrows in the defence and national security establishments.
The MQ-9 Reaper unmanned aerial vehicle (UAV) is a state-of-the-art weaponised drone used by the US Air Force as well as several other government agencies such as the US Navy, the CIA, US Customs and Border Protection, and NASA. Not only is it used by these agencies for intelligence, surveillance, and reconnaissance, but also for carrying out bombing attacks on enemy assets.
According to Insikt Group researchers, the hacker gained access to such information by exploiting an FTP vulnerability in Netgear routers and infiltrating the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at an air force base in Nevada. Information that he took from the computer included "a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper AMU".
The hacker was able to do so because despite completing the Cyber Awareness Challenge, the captain failed to set an FTP password, thereby allowing adversaries to exploit the router vulnerability to access files in his computer.
The hacker was also able to get his hands around other US military secrets such as the M1 Abrams maintenance manual, a tank platoon training course, a crew survival course, and documentation on improvised explosive device (IED) mitigation tactics by hacking into computers used by other US Army personnel or the Pentagon. All these documents were put up for sale on the Dark Web by the hacker and later detected by Insikt researchers.
According to the researchers, organisations that store top secret information on national security and defence as well as sensitive enterprise data can prevent adversaries from gaining access to their systems by setting complicated FTP passwords when connecting to Netgear routers.
"Although private industries have really stepped up their security efforts in recent years, investing heavily both in the infrastructure and workforce education, the government is consistently lagging behind when it comes to the security training of its employees and protection of state secrets.
"Sadly, very few understand the importance of properly securing wireless access points (WAP), and even fewer use strong passwords and understand how to spot phishing emails," they added.
Commenting on how easily a hacker could gain access to top-secret US military information by exploiting a well-known vulnerability, John Steven, senior director, security research and applied research at Synopsys, told SC Magazine UK that this occurred because organisations often classify things like documentation and test cases (or test systems) as low value compared with production assets or data. Therefore, documentations are subject to fewer security controls and less scrutiny.
"Yet, these ‘low value’ assets implicitly (sometimes explicitly) provide blueprints for the weaknesses in production environments. Organisations should consider to scrutiny and protections afforded documentation of test infrastructure akin to their other IP – like source code.
"Maybe more importantly, system designers should ask the question, "Are we relying on ‘security by obscurity’?" That is, is the system’s security posture predicated on attacker’s lack of knowledge of how it works? Or, does the system withstand attack even when attacker know its specs?
"Ideally, architects would ferret out cases where their systems achieve ‘security’ only through obscurity, and replace these weak links with security controls and protocols that resist attack even when attacks have "whitebox knowledge" of how they work," he added.