Getty Images / Isaac Brekken / Stringer

A hacker used a basic security vulnerability to access highly sensitive files relating to the US military's spy drones and tanks, new research claims. Security firm Recorded Future says it discovered a criminal attempting to sell the secret information for only a few hundred dollars on a dark web forum last month.

The documents, which were advertised at between $150 and $200, included technical details of the MQ-9 Reaper drone. The drone has been used for unmanned surveillance missions for the military and other organisations including border control. Maintenance manuals and a list of airmen who were assigned to work on repairs were allegedly being sold among a cache of classified data.


The information was exposed after two members of the US military connected to the internet through Netgear routers that still used the default log-in settings for file sharing. The bypass for the routers was first discovered two years ago and devices still vulnerable haven't had their firmware updated.

Andrei Barysevich, a dark web expert at Recorded Future, says some of the documents were taken from the computer of an Air Force captain working at a base in Nevada. "Another thing he [the hacker] was claiming to have access to was a broad range of live CCTV cameras, including those installed on surveillance planes and across the US-Mexico border and checkpoints, highways, and the drone that surveys the Gulf of Mexico," Barysevich says.

Read next A data fail left banks and councils exposed by a quick Google search A data fail left banks and councils exposed by a quick Google search

One of the files exposed was a certificate saying the captain had successfully completed cybersecurity training. A second member of the military was also impacted, with maintenance documents for the M1 Abrams tank and details of how to defend against improvised explosive devices (IEDs) being put up for sale.

The files were advertised for sale on a dark web forum, Recorded Future says, though the firm believes nobody purchased the documents. Recorded Future would not provide the username of the alleged hacker or the forum that the details were being advertised on. Barysevich says the firm is continuing to work with law enforcement.


WIRED contacted the US Department of Defense for comment on supposed documents and details but had not received a response at the time of publication. Barysevich says he is "pretty much 100 per cent certain" the documents being advertised for sale were genuine.

The security researcher says he began talking to the hacker on the dark web forum but moved to an encrypted messaging app to be provided with screenshots of sample documents. These included potential images from drones and technical documents for other military equipment.

"Pretty much immediately after we reached out to law enforcement and passed information to the airforce, he deleted the advertisement saying he lost access to the vulnerable system," Barysevich says. He doesn't know how much of the data was downloaded by the hacker as it was claimed the person had a poor internet connection and low bandwidth. As a result, they allegedly didn't download everything which was available until a buyer had been found.

Read next Cash machine hackers are getting better at stealing your money Cash machine hackers are getting better at stealing your money

Nobody is safe from Russia's colossal hacking operation Hacking Nobody is safe from Russia's colossal hacking operation

The incident is the latest case of insecure routers leading to security vulnerabilities. Barysevich says the hacker scanned the Shodan search engine, which shows internet-connected devices, for Netgear routers that may not have had their default details updated.

Once a device has been located it can be accessed remotely and the File Transfer Protocol system could be accessed using the username 'admin' and password 'password'. Recorded Future says its scan of Shodan revealed 4,000 devices that could be compromised using the method. This is down from 6,000 when the problem was first reported in 2016. Shodan searches only show devices that are currently active and connected to the internet.

In April this year, cybersecurity officials in the UK and US issued a joint warning to individuals and businesses highlighting their belief that routers – as well as other technical equipment – were being compromised by Russian hackers. Millions of devices had been targeted through man-in-the-middle attacks and intellectual property could have been stolen. The routers were being targeted to "potentially lay a foundation for future offensive operations".


Separately, malware that's been dubbed VPNFilter has been found in more than 500,000 routers. The malware, which was first discovered by Cisco’s Talos security team, has the potential to completely shutdown the router and kill its internet connection. "The behaviour of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials," Cisco wrote as it published details of the malware in May this year.

In the most destructive incident so far, routers and other Internet of Things devices were used as part of a mass botnet that temporarily took down the internet for millions of people in October 2016.

The continuing vulnerabilities in routers show how fragile connected devices can be. "He was abusing this system and method on a daily basis," Barysevich says of the hacker who targeted the US military. "He told us he scans Shodan for new victims and then spends the entire day dong from system to system to see if anything of any value could be obtained." It is claimed documents from a cryptocurrency company, a medical practice, a supply chain provider to oil and gas provider were all exposed using the same method. "He didn't know the true value of this data," Barysevich says.