Wi-Fi drones were used by hackers to penetrate a financial firm’s network remotely

Hackers have a new attack vector they have been toying with over the last couple of years — drone penetration kits. Drones have become much more capable in the last several years, making them a viable option for covertly placing intrusion equipment near a network. Once just a field of theoretical security research, now hacking drones are being found in the wild.

This week, The Register reported on a drone attack that happened over the summer. The compromised private investment firm kept the incident quiet but agreed to speak on it to security researchers under a nondisclosure agreement.

Network administrators discovered the company’s internal Confluence page was exhibiting strange behavior within the local area network. Confluence is a web-based remote collaboration software developed by Atlassian.

While investigating the incident, security personnel discovered two drones on the roof of the building. One was a “modified DJI Matrice 600,” and the other was a “modified DJI Phantom.” The Matrice had crashed but was still operational, and the Phantom had landed safely.

The Matrice was outfitted with a penatration kit (pen kit) consisting of a Raspberry Pi, a GDP mini laptop, a 4G modem, a WiFi device, and several batteries. The Phantom carried a network penetration testing device developed by Hak5 called a WiFi Pineapple.

Security researcher Greg Linares, who spoke to the firm’s IT team, said that the bad actors used the Phantom a few days before the attack to intercept an employee’s credentials and WiFi. They then coded the stolen information into the Matrice drone’s penetration equipment.

The Matrice drone compromised the company’s Confluence page from the roof using the employee’s MAC address and access credentials. They poked around the Confluence logs attempting to steal more logins to connect to other internal devices but had “limited success.”

The admins knew the network was under attack when they noticed the compromised employee’s MAC address was logged in locally and from his home several miles away. The security team isolated the WiFi signal and used a Fluke tester to trace and locate the device on the roof.

Linares said this is the third drone-based cyberattack he has seen in the last two years but says the attack vector still needs work. The only reason this one had some success was that the company was on a temporary network that wasn’t fully secured.

“The attackers specifically targeted a limited access network, used by both a third-party and internally, that was not secure due to recent changes at the company (e.g. restructuring/rebranding, new building, new building lease, new network setup or a combination of any of these scenarios),” Linares told The Register.

Even on this weakened network, the attack still required weeks of “internal reconnaissance.”

“This was definitely a threat actor who likely did internal reconnaissance for several weeks, had physical proximity to the target environment, had a proper budget, and knew their physical security limitations,” Linares said.

Security researchers have experimented with drones since as early as 2011. At that time, commercially available drones were too weak to carry the required payloads. Their range was also so limited that the attacker would have to be on-site for an intrusion, defeating the purpose.

Today, drones are much more advanced and powerful, as seen in this example. Continued drone advancements and refinement of this attack vector could make it a more severe threat in the coming years.