A hacker stole information about combat drones and personnel assignments from a Nevada-based Air Force officer's computer and sought to sell some of the documents on the dark web, until he was revealed by a web security firm.
The hacker offered training manuals for the U.S. military's MQ-9 Reaper drone and a list of airmen working with the drones for sale until last week via the dark web, a part of the internet that generally requires anonymity tools and authorization to access.
The training and maintenance material is not classified but is considered sensitive information and "furnished upon condition that it will not be released to another nation" without appropriate Defense Department authority.
The $150 deal offered by an unidentified English-speaking hacker was halted following a threat analysis by the cybersecurity group Recorded Future's Insikt Group, according to the company's website.
Recorded Future reported the hacker's activities to military response teams, who will determine the ramifications of the security breach, the company said.
"I've been personally investigating the dark web for almost 15 years, and this is the first time I've uncovered documents of this nature," wrote Andrei Barysevich, director of advanced collection at Recorded Future, in his report. "This type of document would typically be stolen by nation-state hackers. They wouldn't be offering it on the dark web, and certainly not for $150."
Recorded Future reached out to the thief as a newly registered member of a hacking forum after they noticed suspicious online advertisements for the military training manual and a list of airmen assigned to the 432nd Aircraft Maintenance Squadron at Creech Air Force Base, Nev.
While posing as a potential buyer, Barysevich learned the hacker stole sensitive military documents from the home network of an Air Force captain with the 432nd AMXS.
The hacker used a search-engine called Shodan to find the captain's unsecured Netgear router and gained access using the device's default password. The hacker then stole files from his computer, including a recent certificate of completion for Cyber Awareness Challenge training, a mandated online course for most DOD personnel.
After the drone manuals were uploaded, the hacker also posted an M1 Abrams Tank maintenance manual, a tank platoon training course, a crew survival course and documentation on improvised explosive device mitigation tactics.
The hacker did not disclose to Recorded Future the source of the additional materials.
"While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts," Barysevich said.
Recorded Future is currently assisting law enforcement with an investigation. Researchers at the firm said they have a "high degree of confidence" the hacker is from South America but did not elaborate further, citing the investigation, according to a CNN report.