Cloud Storage Error to Blame for Massive Pentagon Data Breach


The Pentagon is leaking data all over the place, including details of a massive, global, social media- based surveillance program. This is according to the cyber risk team at UpGuard, who said recently that critical data from the United States Army Intelligence and Security Command, a joint US Army and National Security Agency command (INSCOM), has leaked to the public internet.

UpGuard says the leak exposed internal data and virtual systems used for classified communications to anyone with an Internet connection. INSCOM has scored very poorly on the CSTAR cyber risk measurement, with only 589 out of a maximum of 950. Its web presence has some serious gaps within its overall cybersecurity profile, exemplified by the presence of classified data on a publicly accessible data repository.
Cloud Services Providers Raw HTML ModuleAmong the downloadable assets on offer was a virtual hard drive used for communications within secure federal IT environments. It contains data classified as NOFORN – meaning it’s too secret to distribute to foreign allies. The exposed data also included details of the Defense Department’s battlefield intelligence program.

The breach in routine data security is just the latest in a series from the Pentagon, including issues with the US Central Command, US Pacific Command and the National Geospatial Intelligence Agency.

UpGuard Director of Cyber Risk Research Chris Vickery first discovered the breach on Amazon Web Services cloud storage configured for public access. It contained 47 viewable files, including three that could be downloaded. It was registered under a domain called “inscom” – indicating the possible Pentagon provenance.

The largest file was an Oracle Virtual Appliance (.ova) file which, when loaded into VirtualBox, was revealed to contain a virtual hard drive and Linux-based operating system likely used for receiving Defense Department data from a remote location.

“The properties of files revealed in this hard drive contain areas and technical configurations clearly marked as ‘Top Secret’ as well as the additional intelligence classification NOFORN,” UpGuard says.

UpGuard claims this is the first time that clearly classified information has been among the exposed data. Previous failures included data that was not as obviously labelled as secret. The firm speculates that the issue probably arose from process errors within the Pentagon’s IT environment and that the procedures involved to make it secure would have been simple.

An earlier breach included the leak of a massive amount of data that was gleaned via Department of Defense intelligence-gathering operations. This included 1.8 billion posts of scraped Internet content going back over eight years. A cursory examination of the data revealed loose correlations with regional US security concerns, including posts concerning Iraqi and Pakistani politics.

Key Takeaways

  • Misconfigurations of this kind are a constant issue as they can emanate from the IT infrastructure of any enterprise.
  • No hacker is necessary for massive damage to be inflicted. Gartner estimates that 70-99% of data breaches result not from external, concerted attacks but from internal misconfigurations.
  • Indications from some of the metadata obtained by UpGuard showed that the box was worked on by administrators at Invertix, a known INSCOM partner that is now defunct. This included hashed passwords which, if still valid and cracked, could be used to access further internal systems.
  • Based in California, UpGuard specializes in helping enterprises keep their data secure. It counts NASA, ICE and the New York Stock Exchange among its customers.