A hacker is selling highly sensitive documents about U.S. military drones on the dark web after stealing them from a captain in the Air Force, according to researchers from cybersecurity firm Recorded Future.
On June 1 an English-speaking hacker who's part of a larger group of criminals based in South America, began advertising access to export-controlled documents pertaining to the MQ-9 Reaper unmanned aerial vehicle (UAV), the researchers said.
The hacker stole the cache of sensitive documents from a computer used by a captain at the 432nd Aircraft Maintenance Squadron stationed at the Creech Air Force Base in Nevada, by taking advantage of a vulnerability in the base’s Netgear router. The documents included Reaper maintenance course books and a list of airmen assigned to a Reaper maintenance unit.
He then advertised them on a dark web marketplace for as little as $150 worth of bitcoin.
Though the documents were not classified, their exposure is still a major security concern, said researcher Andrei Barysevich, who added it was “incredibly rare” for hackers to attempt to sell such documents on the open market. If they fell into the wrong hands, for example, it could give U.S. enemies a tactical advantage, and the leak also reveals significant vulnerabilities in the U.S. military’s cybersecurity policies, the researchers said.
“The fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week’s time is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve,” Barysevich said.
The Reaper, regarded as one of the most lethal pieces of military technology deployed in the past two decades, is sophisticated enough to read a license plate number from two miles away and carries both laser-guided bombs and air-to-ground missiles.
The Air Force did not respond to a request for comment about the breach, but a law enforcement investigation is ongoing, according to Recorded Future’s report. Barysevich told VICE News he had identified the name and country of residence of the hacker, and the group he believes to be responsible. He is assisting in the investigation.
The breach will be a worry for the Air Force at a time when the threat of cyberattack from a variety of actors is at an unprecedented level.
But what makes the theft of the Reaper documents even more egregious is the fact that the captain involved, who was not identified in the report, had just completed the Cyber Awareness Challenge, which is part of the mandatory cybersecurity training that military personnel have to undertake.
The officer could have averted the hack by simply setting up the login credentials for the router properly to begin with, according to Barysevich.
The researcher added that in online conservations the hacker also admitted to stealing another cache of military documents, featuring more than a dozen various training manuals describing improvised explosive device defeat tactics, an M1 Abrams tank operation manual, a crewman training and survival manual, and tank platoon tactics.
The researchers were not able to identify where these documents were stolen from but said they “appear to be stolen from the Pentagon or from a U.S. Army official.”
Cover image: An MQ-9 Reaper remotely piloted aircraft (RPA) is parked in a hanger at Creech Air Force Base on November 17, 2015, in Indian Springs, Nevada. (Isaac Brekken/Getty Images)
This article originally appeared on VICE US.