After a team of undercover analysts from Recorded Future's Insikt Group embedded themselves with users from the dark-web forum, they came across the hacker who exploited a simple vulnerability on Netgear-brand routers.
Through this exploit, the hacker gained access to documents belonging to a US Air Force service member stationed at the Creech Air Force Base in Nevada, and documents belonging to another service member believed to be in the US Army.
The sensitive files included a maintenance manual for the MQ-9A Reaper drone, a list of airmen assigned to a Reaper drone unit, manuals on how to suppress improvised explosive devices, and an M1 Abrams tank manual.
Although the materials do not appear to be classified, the information was still prohibited from being "released to another nation without specific authority" and was intended for "military purposes only".
The hacker also tapped into live footage of surveillance cameras at the US-Mexico border and NASA bases, and an MQ-1 Predator flying over the Gulf of Mexico.
The hacker claimed to have stolen "classified" information from the Pentagon, but Insikt Group's analysts say their interactions with the hacker painted a less sophisticated picture. After building a rapport with other users on the dark-web forum, analysts chatted with the hacker and discovered he possessed "above amateur" abilities and may have been part of a group within a larger group.
"I wouldn't say that they possess skills of highly advanced threat-actors," Andrei Barysevich, a researcher at Recorded Future, told Business Insider. "They have enough knowledge to realise the potential of a very simple vulnerability and use it consistently."
Analysts say they have a "good level of confidence" of the hacker's identity, and are coordinating with Homeland Security officials in their investigation. A DHS representative declined to comment on the matter and the affected Air Force drone unit did not respond to requests for comment.
The hacker may not have been fully aware of the nature of the information he possessed. At one point, he complained that he was unable to find interested buyers for the files — which he believed were highly valuable. He ultimately lowered his price.
"I expect about $150 or $200 for being classified information" he said, according to a transcript.
In an attempt to make a quick sale, he was also "proactive in giving" samples to analysts, which in turn allowed them to determine whom the documents were stolen from.
"[It] clearly shows he had no knowledge of how much this data may cost and where and whom to sell it to," analyst Barysevich said. "He was attempting to get rid of it as soon as possible."
After Barysevich's team alerted US officials, the vulnerable computers were taken offline. That move ultimately cut off the hacker's access to the files.
The hacker, who is believed to live in a poverty-stricken country in South America, said his internet connection was slow and that, because his bandwidth was limited, he did not download as much information as he had hoped to, prior to finding a willing buyer.
Instead, he relied on screenshots and shared them with the analysts, who say they believe he was still unable to find a buyer.
The Netgear router vulnerability, which dates back to 2016, allowed hackers to access private files remotely if a user's password is outdated. Despite several firmware updates and countless news articles on the subject, thousands of routers remain vulnerable.
A simple search on Shodan, a search engine for devices connected to the internet, reveals more than 4,000 routers that are susceptible to the attack.
"We're literally talking about thousands of systems," Barysevich said. "And many of them appear to be operated by government employees."
Hackers, like the one Barysevich's team encountered, would scan large segments of the internet by country, identify which routers would have a standard port used by private servers, and then use the default password to discover private files.
It's difficult to match the contents of the files with their owners, but that's not exactly the point. It's a brute-force method with only one goal in mind: to find valuable data and exploit it.
"Sadly, very few understand the importance of properly securing wireless access points [WAP], and even fewer use strong passwords and understand how to spot phishing emails," Recorded Future said in a report.
"The fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week's time is a disturbing preview of what a more determined and organised group with superior technical and financial resources could achieve."
Receive a single email every morning with all our latest news: Sign up here.
Also from Business Insider South Africa: