In what comes as another embarrassing moment for the Pentagon and the US government, millions of military emails were directed to the West African nation of Mali, over the course of a decade, despite multiple warnings – exposing highly sensitive information to a Russian ally.
The error happened due to a small confusion arising due to domain naming and the culprit is a missing letter, ‘I’. Instead of typing “.MIL”, the suffix to all military email addresses, the officers typed “.ML” which is the country identifier for Mali. The mistake was overlooked and resulted in a steady flow of sensitive emails being sent to “.ML” domain inboxes.
According to various media reports, the messages shared range from tax returns to medical reports to diplomatic documents to official travel arrangements for top officers to highly sensitive passwords.
No attention was paid to warnings
Experts said even if the data was unclassified, the sustained access meant that intelligence could be generated by joining the dots.
What’s more concerning in the entire fiasco is that the US government received multiple warnings for the breach and yet did nothing to sort the issue.
The first instance of such a data leak was reported almost a decade ago by Johannes Zuurbier, a Dutch internet entrepreneur who had the contract to manage Mali’s country domain, the Financial Times (FT) newspaper reported.
The risk of data landing in the wrong hands was exacerbated when Zuubier’s contract expired and the domain reverted to the Malian government
The Amsterdam-based entrepreneur approached US officials repeatedly, including through a defence attaché in Mali, a senior adviser to the US national cyber security service, and even White House officials.
“This risk is real and could be exploited by adversaries of the US,” he wrote in a letter to the US government officials.
Since January this year, Zuurbier claims to have collected close to 117,000 misdirected messages that were sent to the wrong domain, by the time his contract expired.
One email that was misdirected to Mali this year included the travel plans for General James McConville, the chief of staff of the US Army, and his delegation for a then-forthcoming visit to Indonesia in May.
“The Department of Defence is aware of this issue and takes all unauthorised disclosures of controlled national security information or controlled unclassified information seriously,” the Pentagon said.
Lt. Commander Tim Gorman, a spokesman for the Pentagon added that mails sent directly from the .mil domain to Malian addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients”.
Teixeira allegedly leaked the sensitive documents in a chatroom for gamers, Thug Shaker Central, on Discord, an instant messaging platform, primarily used by the gaming community. According to reports, Teixeira leaked highly sensitive information, including details about troop movement in Russia’s war with Ukraine.
Teixeira said in the chat group that he was able to access the documents because he worked on a “military base”. The accused was referring to the 102nd Intelligence Wing at Otis Air National Guard Base where he was assigned the task to manage and troubleshoot computers and communications systems for the Air Force.
Incidentally, Teixeira had been leaking the classified documents for several months but it was only earlier this year that the US authorities became aware of such a breach. After US media carried the reports, a manhunt was launched to nab the mole.
Mailbox leak after misconfiguration
Similarly, in February, reports claimed that for full two weeks, an exposed server belonging to the defence department spilt internal military emails to the open internet before being fixed.
The said server was hosted by tech giant Microsft on Azure government cloud for Department of Defence customers. These servers are physically separated from the commercial customers and as such can be used to share sensitive but unclassified government data.
The exposed mailbox server carried three terabytes of internal military emails, belonging to the US Special Operations Command, or USSOCOM, the US military unit tasked with conducting special military operations. Investigations found that a misconfiguration had left the server without any password, allowing anyone with internet access to peer through the sensitive mailbox data, just by knowing the IP address.
