I don’t know where you read this news, but according to these two sources, it turns out that you yourself invented most of what was written in the question, and everything is much simpler:
gtlaunch.ru/hackeryi-iz-anonsec-ugnali-u-nasa-bespi.. .
https://xakep.ru/2016/02/02/anonsec-nasa-leak/
So, let's look:
Well, i.e. they didn't even buy the exploit. Even if they bought it - well, a private exploit is a common thing.
We fixed ourselves on one machine, began to scan everything available on the internal network from it - a simple and logical action. root:root is of course a complete fail, and you can say good luck for AnonSec, but in principle it is not so surprising and unbelievable.
We got access to the NAS (root:root again, or logged in from a trusted machine, or collected passwords of different users and some one approached the NAS), were able to upload our files. Here it is filled.
I'm not saying that a schoolboy would have coped with all this, but where do you see anything about hacking the firmware here? And yes, about "closed data":
A few months, Carl! Even if serious documents are stored on another network with a more secure perimeter, during this time they could slip through on someone's work machines or on internal servers.
And no one will write a new OS for each drone. And for NASA servers, too, no one will write a new OS. The drone will have some kind of embedded distribution, on the servers, well, let's say some old-school UNIX (AIX / HP-UX / etc), and on the new ones there will be Linux.
Well, you won't find software, but the gpx format is very widely known.
In general, read carefully, I don’t understand at all how what you said relates to the content of the article.