Highly sensitive, classified data belonging to a joint US Army and NSA division was left freely exposed online in a massive data breach. Over 100GB of US Army intelligence data pertaining to a project codenamed "Red Disk" was part of the information that was left exposed to the public. The data belongs to the US Army's Intelligence and Security Command, known as INSCOM – the joint US Army-NSA division.
The data was left exposed because of an unsecured Amazon cloud storage server. According to security researchers at UpGuard, who uncovered the breach, the Amazon S3 bucket that stored the sensitive data was left completely unprotected – without a password and open to be downloaded by anyone.
The data leak was discovered by UpGuard's director of cyber risk research Chris Vickery on 27 September.
Vickery told IBTimes UK that the exposed database was "uploaded in 2013" but could theoretically have been "switched" to public accessibility at any time. "There's a chance that it was exposed for years," he said.
When asked about the possibility of malicious hackers having also found and accessed the exposed data, Vickery responded by saying, "I would be surprised if no one else found this. The simple bucket name ("inscom") makes it likely that someone else would have come across it. Six characters is not a difficult combination to come across even if you are simply using random chance."
What information was exposed?
The exposed S3 bucket contained 47 "viewable" files, three of which were downloadable. The three downloadable files exposed national security data, some of which were "explicitly classified".
"Among the most compelling downloadable assets revealed from within the exposed bucket is a virtual hard drive used for communications within secure federal IT environments, which, when opened, reveals classified data labelled NOFORN – a restriction indicating a high level of sensitivity, prohibited from being disseminated even to foreign allies," UpGuard cyber resilience analyst Dan O'Sullivan wrote in a blog. "The exposed data also reveals sensitive details concerning the Defense Department's battlefield intelligence platform, the Distributed Common Ground System – Army (DCGS-A) as well as the platform's troubled cloud auxiliary, codenamed 'Red Disk'."
The largest exposed file contained a virtual hard disk and a Linux-based OS (operating system) that revealed "top secret" technical configurations, as well as additional intelligence information. UpGuard researchers said that private keys used to access intelligence systems and hashed passwords were also left publicly exposed. These, if accessed by malicious hackers, "could be used to further access internal systems".
What is Red Disk?
Red Disk is the Pentagon's 'distressed' cloud-based intelligence sharing system. ZDNet reported that Red Disk was created to complement the US Army's legacy intelligence, surveillance and reconnaissance-sharing platform – the Distributed Common Ground System (DCGS).
Red Disk was reportedly slated to be an effective way for the Pentagon to communicate with deployed soldiers in Afghanistan, share intelligence data such as providing satellite photos, videos from drones, and more. However, the system was reportedly slow, difficult to use and would crash often. ZDNet reported that Red Disk was never completely deployed and has since been considered a failure.
"Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser," UpGuard's O'Sullivan said.
"Regrettably, this cloud leak was entirely avoidable," O'Sullivan added. "Given how simple the immediate solution to such an ill-conceived configuration is – simply update the S3 bucket's permission settings to only allow authorised administrators access – the real question is, how can government agencies keep track of all their data and ensure they are correctly configured and secured?"
ZDNet reported that Vickery alerted the government about the breach in October and that the S3 server was eventually secured. Vickery told us that it took "approximately six days" to secure the leaky S3 server.
However, it remains unclear as to how long the US Army's S3 bucket remained publicly exposed before it was discovered and secured. It is also uncertain whether the exposed data was accessed by any malicious entities.
"The news about US Army intelligence data being leaked through a misconfigured AWS S3 storage bucket, while alarming, is not surprising. More than half (53%) of organisations have accidentally exposed cloud storage services, including the information they contain, to the general public due to simple configuration errors," Varun Badhwar, CEO & co-founder of cloud threat defence company RedLock told IBTimes UK.
"Unless organisations take a serious and holistic approach to this, the problem will continue to get worse."
Update: This article has been updated to include the comments of UpGuard security researcher Chris Vickery, who discovered the breach.