Air Force fails Cybersecurity 101

Stop me if you’ve heard this: Cybersecurity starts with the basics. What good is the best suite of tools under heaven if your users leave factory default passwords on network routers?

Lack of attention to such basics is apparently how sensitive U.S. military documents ended up for sale on the dark web. The documents had to do with maintenance procedures and specific individuals connected to the Air Force’s MQ-9 Reaper program. This is all according to a blog at the threat intelligence company Recorded Future.

Now, to be fair, a great deal is known from public sources about the Reaper, including the Air Force itself. Several other nations use this weapon. It’s been around since 2001. Likely the leaks aren’t nearly as damaging as, say, the NSA’s loss to Shadow Brokers of its hacking tools in 2016. But still, the Reaper is among the more potent weapons. It needs protection.

This incident seems to have moved federal document theft into new territory. The Recorded Future blog states: “It is incredibly rare for criminal hackers to steal and then attempt to sell military documents on an open market.” Human trafficking? Take your pick. Bulk credit card data? Aisle 21. But military documents, not so much.


Until now.

Recorded Future also reports the hacker spent spare time watching live footage from border surveillance cameras and aircraft, including from an MQ-1 Predator flying over the Gulf of Mexico.

More interesting is that as Recorded Future tracked and engaged with the hacker, he disclosed he’d used a known vulnerability in Netgear routers. The hole is easily remedied and should have been. The hacker used a scanning engine to find all copies of the router that hadn’t been updated.

Talking, evangelizing, complaining, training and preaching about cybersecurity has become an industry seemingly as large as the cybersecurity itself. In fact, the Air Force captain whose computer was hacked had just completed the Cyber Awareness Challenge, Recorded Future reports. The company editorializes a bit, adding, the captain “should have been aware of the required actions to prevent unauthorized access. In this case, setting the FTP password.”

Andrei Barysevich, the investigative lead at Recorded Future, says the vulnerability lets the hacker barge right into computers on the network the router is routing. Netgear, he says, notified customers of the need to set passwords two years ago. A scan by Recorded Future shows thousands of such routers still unconfigured. Equally potentially damaging, the channel exploited by the hacker runs two ways. Bad actors can upload malware or anything they want to the targeted machines, not merely take files from them.

When, after two weeks of drawing out the hacker and verifying the authenticity of the documents, Recorded Future notified the Homeland Security Department, according to Barysevich. Two days later the router had been corrected. That’s fast reaction in federal government terms.

This incident validates the policy of continuous monitoring and diagnostics. If hackers have tools that can pinpoint any weak router in the world, surely the U.S. military ought to have the same capability. Scanning is perfectly legal. It’s like walking by a closed jewelry store at night and seeing the door ajar. How you react indicates the kind of citizen you are.

Barysevich says the slightly hapless hacker — who was gradually goaded into giving up many of his secrets — might’ve downloaded more documents but didn’t. He claimed to work in a South American country where bandwidth is limited.

What if he’d been Russian?