Has Iran Been Hacking U.S. Drones?

Iran says it can hack American drones operating in the Middle East and take control of them — and it has released a video purporting to back up its claims. 

Back in February 2019, Iran’s semi-official Fars News claimed that the Islamic Revolutionary Guard Corps (IRGC) intercepted the broadcasts of U.S. UAVs above Iraq and Syria by “penetrating into the U.S. Command Center.” Brig Gen Amir Ali Hajizadeh, the commander of the IRGC Aerospace Force claimed that, “Seven to eight drones that had constant flights over Syria and Iraq were brought under our control and their intel was monitored by us.”

Fars published footage of a purported UAV feed showing what appeared to be a surveillance mission, followed by a UAV crash-landing, and then a UAV being destroyed by an airstrike. 

This has happened before. In 2008, the U.S. military discovered that insurgents in Iraq, likely aided by Iran, were intercepting the unencrypted feeds of U.S. drones. Encrypting the entire fleet of Predator and Reaper drones likely took until 2014 to complete. The capture of a stealthy American RQ-170 Sentinel UAV in 2011 was a further embarrassment for the U.S. drone force, although there is controversy over whether Iran was actually responsible for downing it.

We have geolocated the areas depicted in this footage and found they do indeed show an area in Iraq. We can also identify a time period, and locate the precise place where this UAV was destroyed.

The spokesman for the Combined Joint Task Force — Operation Inherent Resolve declined to comment on this matter, only stating that “Queries pertaining to UAV footage is a National Security Concern.”

Footage

The footage is split into three distinct segments.

The first segment shows several different locations, including individual buildings, vehicles and people from the viewpoint of what appears to be a UAV. 

The second segment shows the apparent viewpoint of a UAV as it conducts a landing on unprepared ground, indicating it was an emergency landing. 

The third segment depicts what seems to be a damaged and overturned Medium Altitude Long Endurance (MALE) UAV from the viewpoint of another aircraft, likely another UAV. The overturned UAV is then destroyed by an explosion. 

It should be noted that the footage itself is heavily edited. It has had multiple cuts, has been sped up and has had a Fars News watermark added. The segment that shows that the overturned UAV has had parts of the feed obscured. There does not appear to be any way to confirm that the footage all depicts the same incident, however, as we will see, the locations depicted are all within the vicinity of Haditha, implying that footage may have been taken from the same mission.

Verification

The feed layout itself matches those of Predator or Reaper drones, and the locations depicted in the drone feed can be identified relatively easily. Due to the feed being unredacted, information about the location of both the UAV and its target is available in Military Grid Reference System (MGRS) format. That data, converted into longitude and latitude, places the vehicle in Western Iraq.  

MGRS data within the feed

The aircraft’s position denoted by the coordinates in the video matches the satellite imagery for those locations. The only location it was not possible to match using this method is the final location with the overturned UAV.

Location 1: 34.301521, 42.41061 (Satellite imagery courtesy of Bing/Microsoft)

Location 2: 34.302333, 42.412188 (Satellite imagery courtesy of Bing/Microsoft)

Location 3: 34.36427, 42.33554 (Satellite imagery courtesy of Bing/Microsoft)

Location 4: 34.33160, 42.41564 (Satellite imagery courtesy of Bing/Microsoft)

Location 5: 34.37590, 42.27343 (Satellite imagery courtesy of Bing/Microsoft)

Below is s map showing identified locations from this feed, including the crash site to the southwest of Haditha city.

Identified locations depicted in drone feed footage (satellite imagery courtesy of Google/CNES/Airbus/Landsat/Copernicus/DigitalGlobe)

Dating

By examining the locations as depicted in detail, we can identify that at least some of this footage was filmed between 21 April 2016 and 18 July 2018. This can be established by examining damage to the building at Location 3. By using the satellite preview service TerraServer, we can see that the hole in the roof at Location 3 (marked in red below) did not appear until after 21 April 2016.  

Note the hole in the roof, marked by the red square

On TerraServer, it is also possible to see that the section marked in red in the image below was knocked down by 18 Jul 2018. In the drone footage, the building is complete, indicating it was taken before the 18 Jul 2018.

Note the area marked by the red square.

Therefore, if this footage was indeed from a single mission, it was taken between 21 April 2016 and 18 July 2018.

We can further narrow down this window by locating the site of the landing and review satellite imagery to see if or when a crater appears where the crashed UAV was destroyed. We can locate the crash site by looking at the final frame of the footage showing the landing. The MGRS coordinates in that frame pinpoint the UAV to a place immediately to the north of an earth rampart.

Last known location of UAV (satellite image courtesy of Bing/Microsoft)

By looking at previous coordinates in the feed, we know that the UAV was proceeding in a southerly direction, so it makes sense to look immediately to the south of the last known location. 

Sure enough, approximately 150 meters to the south of the last known location we find an area that matches the images of the crash site recorded by the second UAV. The longitude displayed on the feed of this second UAV also matches, although the latitude is obscured. 

Using satellite imagery of this location we can see that a crater appears between 11 Jun 2016 and 26 Aug 2017 at the exact location the UAV crashed, likely the result of the strike depicted in the last segment of the video. This further narrows down the window of time in which this footage was likely filmed, down to the 14 months between 11 Jun 2016 — 26 Aug 2017.

Middle: satellite imagery of this location taken on 26 Aug 2017. Top and Bottom: stills from drone feed. The blue circle marks where the drone came to rest and where there is now a crater.

What Kind Of UAV?

Although we cannot be absolutely sure what kind of UAV this footage comes from, the depiction of the damaged UAV and its location make it extremely likely it is the same one which we see conducting a forced landing. Although the feed resolution is not high definition, we can make out certain details on the UAV which appear to match a Gray Eagle UAV, which is distinct from a Predator or Reaper.

In the footage we can see the landing gears of the UAV, showing that it has overturned. We can also see several distinct shapes along the wings, including two weapons pylons per wing, and several smaller fins. To the author’s knowledge, the only UAV which matches these features is a Grey Eagle UAV. The two weapons pylons per wing rule out a Predator, while the four small fins under each wing appear to be unique to the Grey Eagle.

Matching the drone (Source right)

It should be noted that the Grey Eagle is used by the U.S. Army, rather than the U.S. Air Force or CIA. Unlike most CIA and USAF MALE UAVs, the Grey Eagle is usually controlled in theatre, rather than from a control station in the United States. This may mean that the Grey Eagle network may have had a vulnerability that is not present in USAF or CIA UAVs.

Analysis

Given the details above, it appears that although this footage is old, it is unlikely to have been faked. This, of course, begs the question of how the IRGC obtained it. 

The claim that the IRGC brought these drones under control, as opposed to only monitoring their communications, does not appear to be supported by this video. If the IRGC wished to incapacitate a drone, they could have crashed it far more catastrophically than the forced landing which we see depicted. Indeed, they could have attempted to fly the drone to territory controlled by Iran. That said, the IRGC monitoring the feeds of U.S. drones is still notable. 

The IRGC specifically claimed to have infiltrated a “U.S. Command Center” rather than to have simply intercepted the UAVs data link. Without further information from Iran, or intimate knowledge about how the Grey Eagle network works, it is difficult to assess this possibility. If the IRGC did have this capability, their willingness to expose it by publishing a drone feed from a year-and-a-half-ago suggests they may not have it anymore.

There does, of course, remain the possibility that the IRGC is bluffing, and that this data was obtained via other means. The U.S. does share intelligence with its allies, so it is also a feasible possibility this footage was obtained from them, rather than directly from the U.S.

However, with the limited information available, it is not possible to draw firm conclusions on how the IRGC actually obtained this footage.

Conclusion

This footage released by the IRGC appears to be genuine imagery from at least two separate UAVs taken around the same time, probably between 11 Jun 2016 — 26 Aug 2017. At least one of these UAVs appears to have been a Grey Eagle, which conducted a forced landing and was then destroyed, almost certainly to prevent it from falling into enemy hands. This is certainly not impossible: at least one French aircraft appears to have markings suggesting it destroyed a MALE UAV on operations in Iraq and Syria, although it cannot be established if it was involved in this particular incident. 

This kind of release is embarrassing for the U.S., despite it being relatively old footage, however it may have been obtained. Even if the footage was obtained via an ally, it shows details of operations which could be sensitive, whether that be the data shown on screen, or the locations which depict easily identifiable sites which may have been operationally sensitive.

UPDATE: Twitter user @il_kanguru checked the crash location and, using imagery from Copernicus, identified that there is a distinct change where the crater is located between 09-16 Jul 2016, both supporting our analysis and narrowing down the likely window that this footage was filmed to a week: