Incident Details

Incident: Military Secrets Stolen Due to Router Vulnerability.

Published Date: 2018-07-10

Postmortem Analysis
Timeline	1. The software failure incident involving the theft of sensitive military documents through a router vulnerability happened in early 2016 [Article 73467]. 2. The incident involving the hacker penetrating an Air Force captain's computer to steal information about US military drones occurred in 2018 [Article 73618].
System	1. Netgear routers [73467, 73618] 2. Military systems (captain's computer) [73467, 73618]
Responsible Organization	1. The hacker who exploited the router vulnerability to steal sensitive military documents [73467, 73618]
Impacted Organization	1. US Air Force [73467, 73618] 2. Military personnel working with MQ-9 Reaper drones [73467, 73618]
Software Causes	1. Exploitation of a router vulnerability known since 2016, leading to the theft of sensitive military documents [73467, 73618] 2. Failure to change the default password on a Netgear router, allowing unauthorized access to the captain's computer [73467, 73618]
Non-software Causes	1. Failure to change default passwords on routers despite public warnings and cybersecurity training [73467, 73618] 2. Misconfigured router leading to vulnerability exploitation [73467, 73618] 3. Lack of proper security measures in place to protect sensitive military documents [73467, 73618] 4. Inadequate cybersecurity practices within the military organization [73467, 73618]
Impacts	1. Sensitive military documents, including details on the US Air Force's MQ-9 Reaper drones and training courses on tanks, survival, and improvised explosive devices, were stolen by a hacker due to a router vulnerability [73467, 73618]. 2. The hacker was able to watch live footage from border surveillance cameras and airplanes, demonstrating a breach of security and privacy [73467]. 3. The hacker attempted to sell the stolen documents on the dark web, potentially exposing classified information to adversaries [73618]. 4. The breach highlighted the risk posed by vulnerable routers, with thousands of routers worldwide still susceptible to similar attacks despite warnings and cybersecurity training [73467, 73618]. 5. The incident raised concerns about the potential for adversaries to assess technical capabilities and weaknesses in advanced military aircraft like the MQ-9 Reaper drones [73618].
Preventions	1. Ensuring routers are regularly updated with the latest security patches and firmware to prevent vulnerabilities from being exploited [73467, 73618]. 2. Changing default passwords on routers to prevent unauthorized access [73467, 73618]. 3. Implementing proper cybersecurity training for military personnel to raise awareness about potential risks and best practices for securing sensitive information [73467, 73618].
Fixes	1. Ensure routers are regularly updated with the latest security patches and firmware updates to address vulnerabilities like the one exploited in the incident [73467, 73618]. 2. Change default passwords on routers to prevent unauthorized access, as leaving default passwords unchanged can lead to security breaches [73467, 73618]. 3. Conduct thorough cybersecurity training for military personnel to raise awareness about the importance of cybersecurity practices, such as changing default passwords and staying vigilant against potential threats [73467, 73618]. 4. Implement stricter access controls and monitoring mechanisms to detect and prevent unauthorized access to sensitive military documents and systems [73467, 73618].
References	1. Recorded Future - The articles gather information about the software failure incident from cybersecurity investigators at Recorded Future, a threat intelligence firm [73467, 73618]. 2. FBI - The articles mention that the FBI is involved in investigating the breach [73618]. 3. US Air Force - The articles mention that the US Air Force is involved in the incident [73467, 73618]. 4. Netgear - The articles mention that the vulnerability exploited in the incident was related to Netgear routers [73467, 73618]. 5. Dark Web - The articles mention that the hacker tried to sell the stolen documents on the dark web [73618].

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident having happened again at one_organization: - The vulnerability in Netgear routers that allowed the hacker to steal sensitive military documents from an Air Force captain's computer was previously publicly announced in early 2016, with Netgear warning people to change the default passwords on their routers [73467]. - Despite finishing a cybersecurity training course in February 2018, the hacked captain did not change the default password on the router, leading to the successful breach [73467]. (b) The software failure incident having happened again at multiple_organization: - The article mentions that security researchers have warned for years that Netgear routers are vulnerable to attack if owners do not update the default password, indicating that this type of vulnerability may exist in routers used by multiple organizations or individuals [73618].
Phase (Design/Operation)	design, operation	(a) The software failure incident in the articles can be attributed to the design phase. The incident occurred due to a vulnerability in Netgear routers that was publicly announced in early 2016, with Netgear warning people to change the default passwords on their routers. Despite finishing a cybersecurity training course, the hacked captain did not change the default password on the router, leading to the breach [73467, 73618]. (b) The software failure incident can also be linked to the operation phase. The hacker accessed the sensitive military documents by exploiting a vulnerability in the Netgear routers, which was a result of the operation or misuse of the system. The incident highlights the importance of maintaining and updating systems to prevent unauthorized access and data breaches [73467, 73618].
Boundary (Internal/External)	within_system, outside_system	(a) within_system: - The software failure incident in the articles was primarily due to contributing factors that originated from within the system. The incident involved a hacker penetrating an Air Force captain's computer to steal sensitive information about US military drones by exploiting a vulnerability in Netgear routers [73618]. - The vulnerability in the Netgear routers allowed the hacker to access the material on the captain's computer, leading to the theft of sensitive military documents [73467]. - Despite warnings and cybersecurity training, the captain did not change the default password on the router, which was a critical internal factor contributing to the software failure incident [73467]. (b) outside_system: - The software failure incident also had contributing factors that originated from outside the system. For example, the hacker used Shodan, a search engine for connected devices, to identify vulnerable routers for the attack [73467]. - Additionally, the articles mention that the hacker tried to sell the stolen documents on the dark web, which is an external platform not publicly searchable, indicating an external factor in the incident [73618].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident occurring due to non-human actions: - The software failure incident in the articles was primarily due to a vulnerability in Netgear routers that allowed a hacker to steal sensitive military documents [73467, 73618]. - The hacker exploited a router vulnerability known since 2016 to access the documents, indicating a failure introduced without human participation [73467]. - Despite warnings and cybersecurity training, the default passwords on routers were not changed, leaving thousands of routers vulnerable to the same attack [73467, 73618]. (b) The software failure incident occurring due to human actions: - Human actions contributed to the software failure incident as the Air Force captain did not change the default password on the router, despite cybersecurity training and warnings [73467]. - The hacker was able to access the material on the captain's computer using a vulnerability in Netgear routers, which required human action to change the default password to prevent unauthorized access [73618].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident occurring due to hardware: - The software failure incident in the articles was primarily due to a hardware vulnerability in Netgear routers. The hacker was able to steal sensitive military documents by exploiting a vulnerability in the router, which allowed unauthorized access to the Air Force captain's computer [73467, 73618]. (b) The software failure incident occurring due to software: - The software failure incident also had contributing factors originating in software. The hacker was able to exploit a software vulnerability in the Netgear routers, which allowed unauthorized access to sensitive military documents stored on the Air Force captain's computer. Additionally, the failure to update the default password on the router, despite warnings and cybersecurity training, was a software-related oversight that contributed to the breach [73467, 73618].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident in the articles is malicious. A hacker exploited a vulnerability in a router to steal sensitive military documents, including details on US Air Force drones and training courses on tanks and improvised explosive devices [73467, 73618]. The hacker accessed the material on the captain's computer using a vulnerability in Netgear routers and then attempted to sell the stolen documents on the dark web [73618]. The hacker also bragged about watching live footage from border surveillance cameras and airplanes, indicating malicious intent to exploit the stolen information [73467].
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The software failure incident in the articles can be attributed to poor decisions made by the Air Force captain regarding cybersecurity practices. Despite being aware of a router vulnerability since 2016 and receiving cybersecurity training, the captain did not change the default password on the router, which allowed the hacker to steal sensitive military documents [73467, 73618]. This poor decision to neglect basic security measures ultimately led to the successful breach and theft of classified information.
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident in the articles can be attributed to development incompetence. The incident involved a hacker stealing sensitive military documents by exploiting a router vulnerability that had been known since 2016 [73467]. Despite warnings and cybersecurity training, the Air Force captain whose computer was breached did not change the default password on the router, leading to the successful attack. Additionally, the security analysts found that there were over 4,000 routers worldwide vulnerable to the same attack, indicating a lack of proactive measures to address known vulnerabilities [73467]. (b) The software failure incident can also be considered accidental to some extent. The hacker accessed the sensitive military information on the captain's computer using a vulnerability in Netgear routers, which are known to be vulnerable to attack if the default password is not changed [73618]. This accidental aspect of the failure is related to the oversight or negligence of not updating default passwords, which inadvertently provided an entry point for the hacker to exploit.
Duration	permanent	(a) The software failure incident in the articles can be considered as permanent. The incident was caused by a vulnerability in Netgear routers that had been publicly announced in early 2016, with warnings to change default passwords on routers [73467, 73618]. Despite this warning being out for two years, there were still more than 4,000 routers around the world vulnerable to the same attack [73467]. The hacker was able to exploit this vulnerability to steal sensitive military documents, indicating a permanent failure due to contributing factors introduced by all circumstances.
Behaviour	crash, omission, value, other, unknown	(a) crash: - The software failure incident in the articles can be related to a crash as the hacker was able to steal sensitive military documents by taking advantage of a router vulnerability, leading to a breach in security [73467, 73618]. (b) omission: - The software failure incident can also be related to omission as the Air Force captain failed to change the default password on the router, despite being aware of the vulnerability, which allowed the hacker to access the sensitive information [73467]. (c) timing: - The software failure incident does not seem to be related to timing as there is no indication that the system performed its intended functions too late or too early [unknown]. (d) value: - The software failure incident can be related to value as the hacker was able to steal highly sensitive information, including details on military drones and training courses, which could be of significant value to adversaries [73467, 73618]. (e) byzantine: - The software failure incident does not exhibit characteristics of a byzantine failure where the system behaves erroneously with inconsistent responses and interactions [unknown]. (f) other: - The software failure incident can be categorized as an "other" behavior as it involves a breach in security due to a vulnerability in the system that allowed unauthorized access to sensitive military documents [73467, 73618].

IoT System Layer

Layer	Option	Rationale
Perception	None	None
Communication	None	None
Application	None	None

Other Details

Category	Option	Rationale
Consequence	property, non-human, theoretical_consequence	(a) unknown (b) unknown (c) unknown (d) The software failure incident led to the theft of sensitive military documents, including details on US Air Force's MQ-9 Reaper drones, training courses on tanks, survival, and improvised explosive devices [73467, 73618]. (e) unknown (f) The software failure incident impacted non-human entities, specifically military drones like the MQ-9 Reaper drones, as sensitive information about them was stolen [73467, 73618]. (g) unknown (h) The potential consequences discussed include the ability of adversaries to assess technical capabilities and weaknesses in advanced aircraft like the MQ-9 Reaper drones if the stolen documents fell into unfriendly hands [73618]. (i) unknown
Domain	government	(a) The failed system was related to the defense industry, specifically involving sensitive military documents and information about US military drones like the MQ-9 Reaper [73467, 73618]. (l) The incident also pertains to the government sector as the stolen documents included details on military operations, training courses, and sensitive information related to the US Air Force [73467, 73618].

Sources

Researchers find stolen military drone secrets for sale on the dark web - CNET - Published on: 2018-07-11
Article ID: 73467
US Reaper drone data leaked on dark web, researchers say - CNN - Published on: 2018-07-10
Article ID: 73618

Back to List