Drone plans for sale: military documents on the dark web

In June, Recorded Future’s Insikt Group made an unprecedented discovery: documents relating to the MQ-9 Reaper drone for sale on the dark web. Berenice Baker speaks to Andrei Barysevich, director of advanced collection at Insikt Group, to find out how the documents were discovered and what the incident means for government security.

In June, a group of analysts monitoring the dark web for emerging threats identified US Air Force (USAF) documents relating to the MQ-9 Reaper drone for sale. After establishing a relationship with the perpetrators, they discovered more military documents on offer, and found the method the sellers used was worryingly simple. 

The ‘dark web’ is a network of untraceable online activity and hidden websites, which, while it can provide anonymity for legitimate users, also hosts criminal activity. Monitoring underground forums on the dark web for illegal transactions is just one of the responsibilities of threat intelligence specialist Recorded Future’s Insikt Group, named for the Swedish word for insight. 

They weren’t looking for military secrets when they stumbled upon the Reaper documents on 1 June, but soon realised they had uncovered both a serious crime and a dangerous security breach.

Andrei Barysevich, director of advanced collection and dark web expert with Insikt Group, released research last month detailing how his team of 15 discovered the plans, infiltrated the perpetrators to find out how they’d done it, and uncovered more military secrets for sale. 

“We monitor for any emerging threats,” explains Barysevich. “It could be a new unknown APT [advanced persistent threat] group from anywhere in the world, a lone criminal actor attempting to sell any type of data that could be relevant to our clients, or social unrest anywhere in the world.”

Better, faster, cheaper: Embracing ‘smart’ manufacturing

Over recent years, shipbuilders have been steadily moving away from their legacy production methods and increasingly outdated, and often out-of-sync, yards, to embrace ‘smart’ manufacturing approaches and bring streamlined, data-rich efficiency to the design and build process.

Now, with naval budgets under pressure and defence spending in general subject to unprecedented scrutiny, those moves have gained even more traction as the demand to build warships better, faster and cheaper has become the mantra of the day.

The next generation, digitised and date-driven shipyard not only promises cheaper and more efficient design and construction, but should also drive down the cost of ownership too. The key is creating a digital thread, a synchronised body of information that encompasses the entire supply chain, and builds into what has been called a ‘single version of the truth’ that governs everything from conception, design and construction, to upgrades and modifications throughout the vessel’s in-service life.

An unprecedented military document sale

Insikt Group’s global clients span the financial, insurance, healthcare, education, energy and travel industries, and Barysevich says his team works with almost every large law enforcement agency in the world. 

“Every organisation has a varying set of requirements and a responsibility for what they need to monitor for,” he says. “Our highly skilled analysts maintain this oversight on underground communities. We blend in with criminal actors, we word as undercover agents. It’s our job to be a fly on the wall to make sure we hear everything and no-one notices.”

“In all my 15-year career I have never seen military documents of this magnitude being sold anywhere on the criminal underground.”

When the team found USAF documents related to the MQ-9 Reaper drone on sale, the analysts were carrying out everyday monitoring of criminal forums rather than specifically looking out for this sort of leak. 

“Just to emphasise how unique this information was, in all my 15-year career I have never seen military documents of this magnitude being sold anywhere on the criminal underground,” says Barysevich.

They decided to engage the vendor immediately and maintained contact with him for several weeks. 

“We were very successful in building rapport with him, and are still talking to him now,” says Barysevich. “During the course of our engagement he was very open; he shared his methods, he explained in outline how exactly he targeted his victims, what he does and where he resides.” 

A simple hacking method and a wide-ranging threat

The team learned that the individual was one of at least four people working together with the main goal of making money, rather than being part of a larger advanced persistent threat hacking group, for example. 

“We learned that they are not very proficient in what they do,” says Barysevich. “They are not high-level hackers; they identified a simple method that could be very easily replicated by pretty much anyone. I’m sure if you spent two hours you’d be able to exactly replicate the same attack.” 

“What they did is scan entire segments of the internet on a daily basis, perhaps several times a day, and once they’d identified vulnerable machines, they’d randomly access machines to see what information was available. 

“They are not high-level hackers; they identified a simple method that could be very easily replicated by pretty much anyone.”

“And this is the cheekiest part; you can see all the exposed machines, but it’s not until you actually access the machine that you know whether it’s a high-profile organisation or a personal computer. They’d identify hundreds, if not thousands, of potential victims and would log in to each one to see what information could be stolen from them. In many cases they were able to find governments or organisations, or personal computers used by high-profile officials, so they weren’t explicitly targeting the US Air Force or Pentagon, they were just lucky to find military documents on exposed machines.”

With the investigation still underway, the team can’t reveal much about the criminals while they maintain active contact with them and assist with law enforcement investigations, in case they spook them. This balance between curtailing criminal activity early and gathering sufficient information to convict offenders is Insikt Group’s stock in trade. 

“That’s where our expertise comes in,” says Barysevich. “We know how to game bad guys. It’s a hard job to be able to get enough information to confirm a breach but not to burn our aliases, but that’s why we get paid well.”

Share this article

How to keep government documents safe

While reluctant to offer broad cybersecurity recommendations to government players, Barysevich suggests paying attention to what happens to official documents. 

“What we see over and over again is that someone who works for the government takes documents to work on at home. So while all the security systems within the organisation are up to date, once sensitive documents leave that secure network and enter a home computer all hell breaks use,” he says.

“Governments should train not just a handful of officers but the entire staff, and make sure they know how easy it is for hackers to compromise their systems.”

He adds that had the same vulnerability could have been abused by nation state attackers who would not be incentivised to release the information but would instead silently continue to monitor activities of their target.

“Governments should train not just a handful of officers but the entire staff, and make sure they know how easy it is for hackers to compromise their systems,” Barysevich says.

He adds that installing password management software, properly securing Wi-Fi and routers, and installing a good antivirus would probably stop 99.9% of all hacking attacks. 

“A lot of people say things like, ‘Well, I’m not that important, why would anyone hack me?’ They think hackers study their victims beforehand and target them to steal a specific set of information. Most of the time hackers cast a wider net and just wait and see what they can catch.”

Tactics and manuals: more military documents for sale

After offering the Reaper drone documents, the original criminal contact offered more military documents, this time training manuals describing improvised explosive device defeat tactics, an M1 ABRAMS tank operation manual, a crewman training and survival manual, and tank platoon tactics. 

Barysevich said his team could not identify the source, but they appear to be stolen from the Pentagon or from a US Army official. He believes the fact that this group was able to get hold of documents from the USAF and the Pentagon within a single month without directly targeting them suggests many more military documents must have been stolen.

“The problem could be much bigger than just a set of documents about the Reaper drone being stolen by hackers.”

“The method they used was to access remote files through FTP, which also allows you to upload information, like credential interception malware,” he says. “Given this officer is accessing documents from his personal computer, he’s probably also accessing official. 

"Attackers could be monitoring everything he does at his computer; it’s very possible that they were able to access other USAF information and other networks. The problem could be much bigger than just a set of documents about the Reaper drone being stolen by hackers.”

While Insikt Group has managed to gather a great deal of information about the criminal actors in this case – they’re located in a South American country and they know their names and addresses –the investigation is still in its early stages.

“In my experience it usually takes about six months to wrap up an investigation,” Barysevich says. “Since we already know the real names of the attackers and where they live, hopefully the case will progress rapidly."

go to top