New research claims that a criminal hacker tried to sell files on the U.S. military’s MQ-9 Reaper drones on the dark web.

The unidentified hacker harvested the documents from a U.S. Air Force captain’s computer by exploiting a widely known security vulnerability in Netgear routers, according to research by threat intelligence firm Recorded Future.

U.S. officials are now investigating the incident as a result of the reporting, an Air Force spokesman told The Hill.

ADVERTISEMENT

While the documents themselves were not classified, the researchers described them as “highly sensitive” in nature and said they “could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.”

The analysts said they notified officials at the Department of Homeland Security (DHS) of their findings and that the hacker was ultimately blocked from selling of the documents. It is unclear, however, if any of the data was copied or shared.

A Homeland Security official confirmed to The Hill that Recorded Future reached out to the department about the incident. A spokesperson for the Air Force said Wednesday that the service is "aware of the reporting and there is an investigation into the incident."

The MQ-9 Reaper is an armed unmanned aerial vehicle, or UAV, made by General Atomics and used by the Air Force and Navy and by Homeland Security to monitor the U.S. border.

Analysts at Recorded Future’s Insikt Group spotted the hacker trying to sell what appeared to be U.S. Air Force documents for $150 while monitoring criminal activities on the dark web last month. Criminal actors often use the dark web to peddle stolen login credentials and sensitive personal information, like Social Security numbers, but it is much more rare to see actors trying to sell military documents online.

The Insikt Group is a team of analysts specially trained to quietly monitor and infiltrate online criminal communities to uncover emerging threats.

The researchers “engaged” the hacker, who spoke English, and confirmed the validity of the stolen documents, which included MQ-9 Reaper maintenance course books and a list of airmen assigned to the Reaper’s aircraft maintenance unit, the report says. The hacker also shared information with the analysts about his tactics.

Andrei Barysevich, director of advanced collection at Record Future and the author of the report, told The Hill that he is “100 percent certain” the documents are real.

Barysevich said the analysts believe that the hacker belongs to a criminal hacking group based in South America, but would not go into further detail about the individual’s suspected origins.

“Right now, the investigation is still ongoing,” Barysevich said.

The hacker allegedly infiltrated a computer belonging to an Air Force captain stationed at Creech Air Force Base in Clark County, Nevada, and discovered the documents.

The hacker used the Shodan search engine to scan the internet for vulnerable devices, ultimately leveraging an easy-to-exploit vulnerability in Netgear routers that was publicized in 2016 to hack into the individual’s system. While Netgear released a security fix for affected systems the same year, scores of devices have not been patched and remain vulnerable.

Later, the hacker also tried to sell additional military files — including a tank platoon training course and documents on tactics to mitigate improvised explosive devices, or IEDs — though it is unclear where those files originated.

The revelations come at a time of heightened scrutiny over U.S. military breaches. In June, the Washington Post reported that Chinese government hackers broke into a Navy contractor’s computer and stole more than 600 gigabytes of data — including documents on a highly sensitive U.S. submarine project. Members of Congress have been briefed on the incident.

This story was updated at 9:46 a.m. Wednesday to reflect comment from the Air Force.