the home of online investigations

You can support the work of Bellingcat by donating through the following link:

Has Iran Been Hacking U.S. Drones?

October 1, 2019

By Nick Waters

Iran says it can hack American drones operating in the Middle East and take control of them — and it has released a video purporting to back up its claims. 

Back in February 2019, Iran’s semi-official Fars News claimed that the Islamic Revolutionary Guard Corps (IRGC) intercepted the broadcasts of U.S. UAVs above Iraq and Syria by “penetrating into the U.S. Command Center.” Brig Gen Amir Ali Hajizadeh, the commander of the IRGC Aerospace Force claimed that, “Seven to eight drones that had constant flights over Syria and Iraq were brought under our control and their intel was monitored by us.”

Fars published footage of a purported UAV feed showing what appeared to be a surveillance mission, followed by a UAV crash-landing, and then a UAV being destroyed by an airstrike. 

This has happened before. In 2008, the U.S. military discovered that insurgents in Iraq, likely aided by Iran, were intercepting the unencrypted feeds of U.S. drones. Encrypting the entire fleet of Predator and Reaper drones likely took until 2014 to complete. The capture of a stealthy American RQ-170 Sentinel UAV in 2011 was a further embarrassment for the U.S. drone force, although there is controversy over whether Iran was actually responsible for downing it.

We have geolocated the areas depicted in this footage and found they do indeed show an area in Iraq. We can also identify a time period, and locate the precise place where this UAV was destroyed.

The spokesman for the Combined Joint Task Force — Operation Inherent Resolve declined to comment on this matter, only stating that “Queries pertaining to UAV footage is a National Security Concern.”

Footage

The footage is split into three distinct segments.

The first segment shows several different locations, including individual buildings, vehicles and people from the viewpoint of what appears to be a UAV. 

The second segment shows the apparent viewpoint of a UAV as it conducts a landing on unprepared ground, indicating it was an emergency landing. 

The third segment depicts what seems to be a damaged and overturned Medium Altitude Long Endurance (MALE) UAV from the viewpoint of another aircraft, likely another UAV. The overturned UAV is then destroyed by an explosion. 

It should be noted that the footage itself is heavily edited. It has had multiple cuts, has been sped up and has had a Fars News watermark added. The segment that shows that the overturned UAV has had parts of the feed obscured. There does not appear to be any way to confirm that the footage all depicts the same incident, however, as we will see, the locations depicted are all within the vicinity of Haditha, implying that footage may have been taken from the same mission.

Verification

The feed layout itself matches those of Predator or Reaper drones, and the locations depicted in the drone feed can be identified relatively easily. Due to the feed being unredacted, information about the location of both the UAV and its target is available in Military Grid Reference System (MGRS) format. That data, converted into longitude and latitude, places the vehicle in Western Iraq.  

MGRS data within the feed

The aircraft’s position denoted by the coordinates in the video matches the satellite imagery for those locations. The only location it was not possible to match using this method is the final location with the overturned UAV.

Location 1: 34.301521, 42.41061 (Satellite imagery courtesy of Bing/Microsoft)

Location 2: 34.302333, 42.412188 (Satellite imagery courtesy of Bing/Microsoft)

Location 3: 34.36427, 42.33554 (Satellite imagery courtesy of Bing/Microsoft)

Location 4: 34.33160, 42.41564 (Satellite imagery courtesy of Bing/Microsoft)

Location 5: 34.37590, 42.27343 (Satellite imagery courtesy of Bing/Microsoft)

Below is s map showing identified locations from this feed, including the crash site to the southwest of Haditha city.

Identified locations depicted in drone feed footage (satellite imagery courtesy of Google/CNES/Airbus/Landsat/Copernicus/DigitalGlobe)

Dating

By examining the locations as depicted in detail, we can identify that at least some of this footage was filmed between 21 April 2016 and 18 July 2018. This can be established by examining damage to the building at Location 3. By using the satellite preview service TerraServer, we can see that the hole in the roof at Location 3 (marked in red below) did not appear until after 21 April 2016.  

Note the hole in the roof, marked by the red square

On TerraServer, it is also possible to see that the section marked in red in the image below was knocked down by 18 Jul 2018. In the drone footage, the building is complete, indicating it was taken before the 18 Jul 2018.

Note the area marked by the red square.

Therefore, if this footage was indeed from a single mission, it was taken between 21 April 2016 and 18 July 2018.

We can further narrow down this window by locating the site of the landing and review satellite imagery to see if or when a crater appears where the crashed UAV was destroyed. We can locate the crash site by looking at the final frame of the footage showing the landing. The MGRS coordinates in that frame pinpoint the UAV to a place immediately to the north of an earth rampart.

Last known location of UAV (satellite image courtesy of Bing/Microsoft)

By looking at previous coordinates in the feed, we know that the UAV was proceeding in a southerly direction, so it makes sense to look immediately to the south of the last known location. 

Sure enough, approximately 150 meters to the south of the last known location we find an area that matches the images of the crash site recorded by the second UAV. The longitude displayed on the feed of this second UAV also matches, although the latitude is obscured. 

Using satellite imagery of this location we can see that a crater appears between 11 Jun 2016 and 26 Aug 2017 at the exact location the UAV crashed, likely the result of the strike depicted in the last segment of the video. This further narrows down the window of time in which this footage was likely filmed, down to the 14 months between 11 Jun 2016 — 26 Aug 2017.

Middle: satellite imagery of this location taken on 26 Aug 2017. Top and Bottom: stills from drone feed. The blue circle marks where the drone came to rest and where there is now a crater.

What Kind Of UAV?

Although we cannot be absolutely sure what kind of UAV this footage comes from, the depiction of the damaged UAV and its location make it extremely likely it is the same one which we see conducting a forced landing. Although the feed resolution is not high definition, we can make out certain details on the UAV which appear to match a Gray Eagle UAV, which is distinct from a Predator or Reaper.

In the footage we can see the landing gears of the UAV, showing that it has overturned. We can also see several distinct shapes along the wings, including two weapons pylons per wing, and several smaller fins. To the author’s knowledge, the only UAV which matches these features is a Grey Eagle UAV. The two weapons pylons per wing rule out a Predator, while the four small fins under each wing appear to be unique to the Grey Eagle.

Matching the drone (Source right)

It should be noted that the Grey Eagle is used by the U.S. Army, rather than the U.S. Air Force or CIA. Unlike most CIA and USAF MALE UAVs, the Grey Eagle is usually controlled in theatre, rather than from a control station in the United States. This may mean that the Grey Eagle network may have had a vulnerability that is not present in USAF or CIA UAVs.

Analysis

Given the details above, it appears that although this footage is old, it is unlikely to have been faked. This, of course, begs the question of how the IRGC obtained it. 

The claim that the IRGC brought these drones under control, as opposed to only monitoring their communications, does not appear to be supported by this video. If the IRGC wished to incapacitate a drone, they could have crashed it far more catastrophically than the forced landing which we see depicted. Indeed, they could have attempted to fly the drone to territory controlled by Iran. That said, the IRGC monitoring the feeds of U.S. drones is still notable. 

The IRGC specifically claimed to have infiltrated a “U.S. Command Center” rather than to have simply intercepted the UAVs data link. Without further information from Iran, or intimate knowledge about how the Grey Eagle network works, it is difficult to assess this possibility. If the IRGC did have this capability, their willingness to expose it by publishing a drone feed from a year-and-a-half-ago suggests they may not have it anymore.

There does, of course, remain the possibility that the IRGC is bluffing, and that this data was obtained via other means. The U.S. does share intelligence with its allies, so it is also a feasible possibility this footage was obtained from them, rather than directly from the U.S.

However, with the limited information available, it is not possible to draw firm conclusions on how the IRGC actually obtained this footage.

Conclusion

This footage released by the IRGC appears to be genuine imagery from at least two separate UAVs taken around the same time, probably between 11 Jun 2016 — 26 Aug 2017. At least one of these UAVs appears to have been a Grey Eagle, which conducted a forced landing and was then destroyed, almost certainly to prevent it from falling into enemy hands. This is certainly not impossible: at least one French aircraft appears to have markings suggesting it destroyed a MALE UAV on operations in Iraq and Syria, although it cannot be established if it was involved in this particular incident. 

This kind of release is embarrassing for the U.S., despite it being relatively old footage, however it may have been obtained. Even if the footage was obtained via an ally, it shows details of operations which could be sensitive, whether that be the data shown on screen, or the locations which depict easily identifiable sites which may have been operationally sensitive.

UPDATE: Twitter user @il_kanguru checked the crash location and, using imagery from Copernicus, identified that there is a distinct change where the crater is located between 09-16 Jul 2016, both supporting our analysis and narrowing down the likely window that this footage was filmed to a week:

Nick Waters

Nick is an ex-British Army officer and open source analyst. He has a special interest in the conflicts in Syria, as well as social media, civil society, intelligence and security. Contact via Twitter: @N_Waters89

Join the Bellingcat Mailing List:

Enter your email address to receive a weekly digest of Bellingcat posts, links to open source research articles, and more.

14 Comments

  1. Supaman

    What made up my mind about this incident was actually when RT contacted the government and they said they were aware of the release of the videos and had nothing more to say. If this were simply a matter of the Iranians obtaining video that had been shared with other parties, I’m sure the response would have been different. All in all, there appear be numerous incidents involving Iran and Iran alone, when it comes to our drones and Israeli drones. While I agree that them releasing these videos now would indicate that they no longer have access to those controls, it’s not comforting to know that our advanced systems are vulnerable to being compromised by a country that doesn’t have the necessary technological sophistication that we do.

    Reply
  2. Leonard J. Gauthier

    Seems to me Iran is receiving help from the Russians in hacking American drones…and that American army controllers and Iranian hackers/controllers may have struggled in cyberspace with one another to win control of this Grey Eagle…with control switching back and forth as both sides used various measures and counter measures…the code within the drone’s software finally getting all screwed up resulting in the drone crashing! And the nearest coalition aircraft to the crash site was French…and it was asked to destroy the drone…..?
    “Iranian” does not mean dumb! Remember, Iran is ancient Persia…the oldest country in the world! If anyone knows about cloak and dagger stuff and intrigue and conspiracy…and spying and using secret signals and codes…it’s the Iranians!

    Reply
  3. Gaius Baltaar

    The question is if Iran has/had this capability, what’s the strategic advantage in advertising it? Even if it was some vulnerability that got plugged and one they can no longer exploit, why publicize like this. I don’t get it.

    Reply
    • Jo

      If you want to deter an enemy from attacking you, your enemy needs to know that he will suffer if he attacks. The US has been at war with technologically hopeless enemies for a long time, it might be that Iran decided it would be both a good propaganda stunt as well as a deterent to the US-public to let them know “those weapon systems you rely on so heavily to minimise your casualties? We can deal with those.” Would make even more sense if they already knew that the vulnerability had been found and patched and truly, it doesn’t matter. Any electronic system can be hacked, it’s just a matter of time.

      Reply
    • Gerhard

      Couldn’t better illustrate the level of sophistication of US adversaries…yawn.

      Anyway, propaganda value seems like the most viable explanation. Iran exhibits no physical evidence as in reported drone crash, but shows a feed of its forced landing. I don’t know about an aerial control battle. Russia is probably helping Iranians with their hacking, but let’s hope that this is just a last-gasp attempt for propaganda value from a long-since patched vulnerability in the feed’s encryption. That the report indicates it’s an Army drone makes sense..different systems with varying levels of encryption sophistication.

      To echo Jo’s point above, with enemies so hopeless they’ll trumpet any pitiful success, which this is. Congratulations Iran and Russia, you hacked one US Army drone’s feed once a few years ago. Next stop global domination.

      It’s like a sports team claiming a win when one of their fans manages to splash the opposing champion with one drop of water as they run into the locker room after a 500-0 blowout. Yeah, you sure showed them.

      It must kill Russia that they can’t openly celebrate their biggest disinformation victory ever..but imagine how effective US intelligence will be in retaliating when their president is not actively working for the enemy.

      Great job, Bellingcat! I wish more journalism were so succinct and incisive!

      Reply
  4. David

    If the US Army controls these drones in theater, perhaps their communications were hacked in situ and that’s their vulnerability in this instance. Or the US Army relied on backboning off an existing network that was monitored.

    Reply
  5. Michel de Geofroy

    Why show the world that it hacked into the feeds of the US drones

    1) they have lost the ability to hack into the feeds
    2) Propaganda for its own population
    3) show off factor

    Reply
  6. Wladimir K

    I don´t know why people trust this homepage. This is a fake homepage made by CIA. This homepage is financing by the Atlanci Council.

    Reply
    • Servus

      Interesting, do you have any evidence to substantiate your claim? Why would anybody trust your word?
      Your previous contributions created you a solid reputation but not exactly of trustworthiness.

      Reply
      • Jay Wiliams

        WHo are you to say, with USA hypocracy rampant. Why is USA in Middle East anyway? As true American conservative I say USA out of other countries affairs and time for freedom for Iran and Syria people. Once we are free of Ukranian pressure after Trump scandale we follow Trump’s model of exit from Syria and allow Turkey and countries of Middle East to govern their own affairs.

        Reply

Leave a Reply

  • (will not be published)

You can support the work of Bellingcat by donating through the following link:

TRUST IN JOURNALISM - IMPRESS