During the summer of 2022, an East Coast financial services company specializing in private investments became the target of a new kind of cyberattack involving drones. The incident came to light when the company’s cybersecurity team detected unusual activity on its internal Atlassian Confluence page. The activity appeared to originate from within the company’s network, but the same MAC address was simultaneously being used remotely by an employee working from home.
The security team acted quickly, deploying a Fluke AirCheck Wi-Fi Tester to trace the rogue signal. The investigation led them to the roof of their building, where they discovered two modified drones: a DJI Phantom and a DJI Matrice 600. The Phantom drone was equipped with a Wi-Fi Pineapple device (a tool typically used for penetration testing, but abused here to spoof the company’s legitimate network.) This allowed attackers to intercept login credentials when employees unknowingly connected to the fake network. The Matrice drone carried a more extensive payload, including a Raspberry Pi, a GPD mini laptop, a 4G modem, additional Wi-Fi devices, and batteries.
Later, the team discovered that the Phantom drone had been used days earlier for reconnaissance, capturing an employee’s credentials and Wi-Fi access without detection. These credentials were then hardcoded into the tools deployed on the Matrice drone. The attackers aimed to exploit these credentials to access the company’s internal Confluence page and potentially other resources stored there.
This story originally appeared on Computerworld
