A recent hack of an Air Force captain assigned to the 432nd Aircraft Maintenance Squadron at Creech Air Force Base, Nevada, and the subsequent offer for sale of the “Reaper Drone” design via the dark web for less than $200 has caught the attention of many inside and out of government.
The individual doing the purloining of the design found his victim by perusing and querying the internet of things (IoT) search engine Shodan in search of NetGear routers. Once located, the miscreant used the factory default password to access the router. In this manner, according to the Stars and Stripes, the hacker obtained a number of files from the captain’s home network including training manuals, personnel lists and, ironically, the captain’s certificate of completion of the Air Force “Cyber Awareness Challenge” training.
Once the documents were in hand, the culprit attempted to monetize the documents via an online sale. However, his actions were discovered and reported to military response teams by Recorded Future, a threat intelligence provider.
Reaching out to Recorded Future, we asked how they validated that the “Reaper Drone” document they discovered and attempted to purchase on the dark web. The company advised that they did reach out to the U.S. military, specifically the Defense Security Service (DSS). In addition, they contacted several of their government customers, whom they declined to identify.
The July 2018 revelation of the presence of the documents on the dark web, offered for sale at a price of $150 to $200, causes all to take a step back at determining the provenance of the documents, as the price seems low. Recorded Future explained how they determined the documents were legit and not fraudulent mockups perhaps to induce Iranian or North Korean military procurement entities to purchase a salted military drone design.
The firm first reviewed the previous activities tied to the individual offering the Reaper Drone information for sale, then did a review of the conversations between their own analysts and the individual, who lost access to the “Captain’s computer” once Recorded Future had notified U.S. authorities. Based on that, Recorded Future’s confidence was high the offered documents were legitimate U.S. defense documents—though, they noted, they do not have the means to “verify with absolute certainty that the documents are legitimate.” According to The Stars and Stripes article, Recorded Future has “a high degree of confidence the hacker is from South America.”
Those who have been following Iranian geopolitical and military intrigue understand the desire of the Iranian Revolutionary Guard Corps (IRGC) to not only understand but also acquire documents such as those associated with the Reaper drone. In 2011, a U.S. drone crashed in Iranian territory and was used as the “model” for the Iranian Saeqeh (Thunderbolt) drone, which the IRGC built in 2016. Saeqeh was also the drone used by the IRGC from a base in Syria to reconnoiter Israeli territory and subsequently was shot down by the Israeli Air Force.
Assuming the captain’s home network wasn’t a honeypot and was legitimately compromised, this event provides a teaching moment: It demonstrates that individuals may work within one of the most secure and cyber-capable environments, but once they leave the safety of that cocoon, their individual engagement lacks the resources necessary to reach the level of security they enjoy at their workplace.
Furthermore, as detailed in Recorded Future’s own report, “Very few understand the importance of properly securing wireless access points (WAP), and even fewer use strong passwords …”
What isn’t told to us, nor has it been revealed by the U.S. Department of Defense is why the Air Force officer had these documents on his home computer. Perhaps the answer to that is a different tale about an insider taking sensitive data out of network?