Researchers from Recorded Future, a threat intelligence company, say they found a cache of sensitive military documents for sale on the Dark Web, including details on the US Air Force's MQ-9 Reaper drones, as well as training courses on tanks, survival and improvised explosive devices.
A hacker had stolen the secret files by taking advantage of a router vulnerability known about since 2016, according to Recorded Future. The Air Force didn't respond to a request for comment.
Cybercriminals often cast a wide net across the web looking for any opening they can find. Routers can be an entry point if people fail to keep up with security updates.
In June, the FBI asked that people reboot their routers after Russian hackers infected over 500,000 of the devices in 54 countries. Routers are also prized targets because they allow access to web activity, passwords and, potentially, top secret documents.
The hacker had used Shodan, a search engine for connected devices, to look for routers that were still vulnerable to attacks, Recorded Future said.
"The fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week's time is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve," Andrei Barysevich, Recorded Future's director of advanced collection, said in a blog post.
The hacker also bragged to Recorded Future's researchers that he was able to watch live footage from border surveillance cameras and airplanes, sending a screenshot of footage from a drone flying over the Gulf of Mexico.
In one Dark Web post, the cybercriminal named his asking price to a potential buyer. "I expect about $150 or $200 for being classified information," reads a screenshot of the posting. The post was accompanied by a schematic of the drone.
The MQ-9 Reaper drone is one of the most widely used military drones around the world, deployed by the Air Force as well as the US Navy, the CIA and NASA.
Recorded Future's researchers said they contacted the thief, who was able to steal the documents from a computer belonging to a captain stationed at an Air Force base in Nevada, using a vulnerability on a misconfigured router.
The vulnerability had been publicly announced in early 2016, with Netgear warning people that they should change their router's default passwords. Despite finishing a cybersecurity training course on Feb. 16 this year, the hacked captain didn't change the default password on the router, Recorded Future's researchers said.
The security analysts found that there were more than 4,000 routers around the world vulnerable to the same attack, even though the warning has been out for two years.
It's unclear how thieves got hold of the second set of documents spoken of by Recorded Future -- with secrets on how the US military avoids IEDs and operates tanks. The confidential files were listed for sale about two weeks after the first listing, Recorded Future said.
The company said it was cooperating with law enforcement's investigation of the data breach.