Classified US Army Data Found Unprotected On AWS Server

The US military is at the centre of another embarrassing data leak, after “critical data” belonging to the army was discovered online by researchers.

The data is deemed to be so sensitive that it is not even allowed to shared with allies of the United States, but it was found on virtual image of hard disk left on an AWS server, all without password protection so anyone with an internet connection could have found it.

And this is not the first time that this has happened. In September for example the CVs of thousands of former US military personnel, including hundreds with ‘Top Secret’ security clearances, were left available on an Amazon S3 cloud storage repository.

Red Disk Exposure

Around the same time (27th September 2017), UpGuard’s director of cyber risk research Chris Vickery also discovered an Amazon Web Services S3 cloud storage bucket configured for public access.

This bucket was set to allow anyone entering the URL to see the exposed bucket’s contents (over 90GBs worth), and it contained 47 viewable files and folders in the main repository, three of which were also downloadable.

Vickery knew he had stumbled across a data leak when he saw that subdomain name was called INSCOM.

INSCOM is a joint intelligence command overseen by both the US Army and the NSA that is responsible for gathering intelligence for US military and political leaders.

“Among the most compelling downloadable assets revealed from within the exposed bucket is a virtual hard drive used for communications within secure federal IT environments, which, when opened, reveals classified data labelled NOFORN – a restriction indicating a high level of sensitivity, prohibited from being disseminated even to foreign allies,” blogged Upgaurd’s cyber resilience analyst Dan O’Sullivan.

“The exposed data also reveals sensitive details concerning the Defense Department’s battlefield intelligence platform, the Distributed Common Ground System – Army (DCGS-A) as well as the platform’s troubled cloud auxiliary, codenamed ‘Red Disk’,” he added.

“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser,” wrote O’Sullivan.

“Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data,” he added.

“Regrettably, this cloud leak was entirely avoidable, the likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible,” O’Sullivan blogged.

Other Breaches

And this is not the first time that US military data has been exposed online.

In 2015 the US Army temporarily disabled its website, army.mil, following a hack by supporters of the Syrian government. And in June this year US defence contractor Booz Allen Hamilton left sensitive government information related to an American military project on an unprotected server.

Booz Allen Hamilton had reportedly left more than 60,000 files, including security credentials and passwords to a government system containing sensitive information, on a publicly accessible Amazon server.

In March thousands of confidential US Air Force documents were exposed online in a mass military leak through an unsecured internet-connected backup drive belonging to a lieutenant colonel.

Prior to that Wikileaks this year published thousands of classified documents belonging to the Central Intelligence Agency (CIA).

Do you know all about security in 2017? Try our quiz!