Sensitive military documents have been put up for sale in online hacking forums after someone forgot to change a default password, according to a security firm that discovered the breach.
Documents for sale include maintenance manuals for servicing MQ-9 Reaper drones, training manuals describing deployment tactics for improvised explosive devices (IEDs), documents detailing tank platoon tactics and an M1 ABRAMS tank operation manual, Bleeping Computer reported.
Security firm Recorded Future discovered the documents for sale online and said the hacker who stole them was selling the information for the surprisingly low bargain price of between $150 and $200.
The security firm, which has reported its findings to US authorities, said it had engaged with the hacker online and found he had used a program to search for Netgear routers that use a known default File Transfer Protocol (FTP) password. He then used the default password to gain access to the routers — and some were located at military facilities.
The hacker stole the MQ-9 Reaper manual, for example, from the Creech Air Force Base in Nevada. The Reaper drones are used by the US Air Force, the US Navy, the CIA, NASA and the Customs and Border Protection agencies — as well as other foreign militaries. The hacker did not say where he got the other documents from but experts suspect they were taken from the Pentagon or a US Army official.
A spokesperson for Recorded Future said the stolen training manuals were not classified material, but in the wrong hands “could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts”.
The entire affair could have been avoided, however, if the IT team at the military bases had simply changed the default password.
Bleeping Computer reported that the issue with Netgear routers using default passwords has been known since 2016 when a security researcher raised the alarm about the oversight. At the time, Netgear published a support page containing information on how users could change the password — but obviously not everyone paid attention.