At least two people tied to the US military accidentally leaked secret files to a hacker, including manuals for the US's main battle tank and its Reaper drones, researchers have found.
The two people who inadvertently leaked the files each made the same mistake: They failed to change either the username or password on their routers, whose default credentials the routers' manufacturer posts on its website. All the hacker had to do was scan the internet for routers with those default settings, then use the settings to steal the contents of computers attached to those routers.
The first victim was an Air Force captain stationed at Creech Air Force Base in Nevada, according to Record Future, the cybersecurity company that discovered the theft. The hacker stole several files about the MQ-9 Reaper drone, including maintenance manuals and a list of airmen assigned to work on Reaper maintenance.
The second victim’s identity is unknown, though the files appear to have been stolen from an Army or Pentagon official, according to Recorded Future. The hacker stole from that person more than a dozen sensitive Army documents, including a maintenance manual for the M1 Abrams tank, another manual describing tank platoon tactics, and a third manual for minimizing the potential damage of improvised explosive devices.
A Recorded Future researcher discovered the files for sale on the Dark Web, then quizzed the hacker on how the files had been obtained. It then alerted the Defense Security Service, the military branch tasked with internal security.
The hacker told Recorded Future that he'd used an easily obtained search engine, Shodan, to search the internet for people who were still using the usernames and passwords that the routers' manufacturer, Netgear, had configured them with originally.
Andrei Barysevich, the Recorded Future researcher who found the documents online, said the incident should raise alarms about the lack of security that allowed the documents to be pilfered. The hacker was clearly inexperienced, he said, using a method that required little skill and trying to sell the documents for just $150.
“$150 is nothing,” Barysevich told BuzzFeed News. “We felt like he has no true understanding of the value of this information, he had no idea how to sell it, he was just trying to get rid of it.”
Security experts have recently ramped up warnings about the security dangers of routers, which people rarely update or even realize can be updated. The process usually requires users to sign on to an interface that they rarely use, unlike most smartphones and computers, which update automatically.
Because routers are rarely updated, their vulnerabilities often go unpatched, which in turn can lead to easy compromise. In May, the FBI said that the Russian government had infected at least 500,000 routers, including a number of makes and models, with a particular malware called VPN Filter, believed to have been created to harass Ukrainian targets.
Recorded Future was able to find a certificate that showed the hacked Air Force captain, who it declined to name, had completed a cybersecurity awareness challenge in February 2018.
“Much more experienced hackers or nation-state attackers could have identified this vulnerability in this same system and if they knew what they were doing there’s a good chance their system would be infected,” Barysevich said. “The exposure could be much bigger than these documents being stolen.”