Top secret government files stored without password protection on Amazon server

It doesn’t always require a whistleblower to leak classified NSA data, considering top secret files were stored on an Amazon Web Services (AWS) S3 bucket that was configured for public access. The server contained sensitive data belonging to the U.S. Army Intelligence and Security Command (INSCOM), which is a joint Army and NSA division.

The publicly accessible repository with classified data was discovered in September by Chris Vickery of UpGuard. It hasn’t even been two weeks since news broke of UpGuard finding unsecured Amazon S3 buckets for CENTCOM and PACOM, which contained dozens of terabytes of data about a military-sponsored web monitoring program. A third party working for the Pentagon was responsible for failing to secure the servers, which contained at least 1.8  billion scraped social media posts.

Classified information sitting unprotected online

This time around, Vickery discovered the misconfigured S3 bucket that would allow anyone entering the URL to view the repository located at the AWS subdomain “inscom;” it contained 47 viewable files and folders, three of which were freely downloadable.

According to UpGuard, “The three downloadable files contained in the bucket confirm the highly sensitive nature of the contents, exposing national security data, some of it explicitly classified.”

One of the files, an Oracle Virtual Appliance (.ova) file, contained a virtual hard drive image and a Linux-based operating system “likely used for receiving Defense Department data from a remote location.” The virtual hard drive reportedly contained “over 100 gigabytes of data from an Army intelligence project, codenamed ‘Red Disk.’”

Back in 2013, Red Disk was meant to be a “battlefield intelligence platform” that would aggregate data from the Army’s Distributed Common Ground System (DCGS-A), index data, videos and satellite imagery, making them searchable in real time. But it would crash, was slow and proved unreliable during the testing phase, which involved soldiers deployed in Afghanistan. After dumping at least $93 million into Red Disk, the Pentagon scrapped it in 2014.

While UpGuard noted that the virtual hard drive with six partitions and OS could be browsed, most of the data could not be accessed without connecting to Pentagon systems. Nevertheless, properties of the files on the virtual hard drive revealed technical configurations marked as “Top Secret;” other files were classified as “NOFORN” which stands for no foreign nationals, meaning it wasn’t meant to be shared even with foreign allies.

Defense contractor Invertix used the S3 box

Metadata revealed that the box was used by the now-defunct third-party defense contractor Invertix. Private keys belonging to Invertix admins and used to access distributed intelligence systems, as well as hashed passwords, were also exposed.

The other downloadable files from the virtual disk were a ReadMe, which contained instructions about the contents of the .ova and information about where to get additional Red Disk packages, and a “training snapshot.”

The data contained in the bucket was not protected with a password — even though classified sections indicated “Top Secret” and “NOFORN” material. The subdomain name of INSCOM for the bucket would make the value of the information clear to malicious actors or foreign intelligence services.

In the words of Dan O’Sullivan, another member of UpGuard’s Cyber Risk Team, “Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser.”

He called the risk from third-party vendors the “silent killer” for “cyber resilience.” In this case, the transfer of data to the contractor Invertix, which has now merged into a new corporation called Altamira Technologies, opened the Defense Department to the consequences of a breach even though the DoD did not have full oversight of how the data was handled.