A hacker tried to sell sensitive U.S. military documents relating to Reaper drones and tanks on the shady part of the internet called the darknet, security firm Recorded Future Inc.’s Insikt Group has discovered.

The material included Air Force maintenance training materials for the MQ-9A Reaper drone and the list of airmen assigned to the drone maintenance squad, along with an M1 Abrams tank operation manual, crewman training and survival manual, tank platoon tactics and documentation on improvised explosive mitigation tactics.

The person selling the material was first detected June 1. Insikt then made contact with the hacker, who is said to have bragged about accessing live footage from a Predator flying over Choctawhatchee Bay in the Gulf of Mexico.

The hacker said the drone data had been obtained by exploiting an FTP vulnerability in Netgear routers, specifically a failure of a captain stationed at the Creech AFB in Nevada to set a password. The tank data is believed to have been stolen from the Pentagon or a U.S. Army official in a similar fashion. In both cases, the hacker said he had identified the vulnerabilities via Shodan, a search engine for “internet of things” devices.

“It’s incredibly rare for criminal hackers to try to sell military documents on an open market like this,” a spokesperson for Recorded Future said in an email. “Insikt Group notified the affected organizations who blocked access to the data, blocking the sale. However, it’s unclear if any the data was downloaded, copied or shared with others. While the course books aren’t classified material on their own, they could provide adversaries the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircraft.”

The General Atomics MQ-9 Reaper drone is used by all arms of the U.S. military along with the Central Intelligence Agency, Customs and Border Protection and foreign militaries, including Australia, the U.K., France, Germany and a range of others in both surveillance and hunter-killer operations. The M1-A Abrams tank is used by the U.S. Army and Marine Corps as well as the armies of Egypt, Kuwait, Saudi Arabia, Australia and Iraq.

“As current compromises have shown, even those who should be adept to common security hygiene practices are not immune to rudimentary attacks, resulting in incidents with dire consequences,” the full report said in its conclusion. “Although private industries have really stepped up their security efforts in recent years, investing heavily both in the infrastructure and workforce education, the government is consistently lagging behind when it comes to the security training of its employees and protection of state secrets.”

Photo: U.S. Air Force