A big trove of top-secret files from an Army intelligence project was left on a public web server with no password protection, open to anyone who cared to look, the Silicon Valley firm UpGuard said Tuesday.
The exposed files included aspects of a classified battlefield intelligence platform, part of a failed $5 billion Army project to empower soldiers at war, codenamed Red Disk.
“How careless was it? Very careless,” said UpGuard’s director of cyber risk research, Chris Vickery, who made the discovery two months ago and notified the government, which secured the data. The company revealed the discovery Tuesday.
The trove included about 100 gigabytes from an Army project. Much of it was marked “TOP SECRET” and “NOFORN,” indicating it was not to be shared with foreign allies, Vickery said in a telephone interview.
The researcher found the downloadable secret files on a cloud site hosted by Amazon Web Services, a cloud-computing subsidiary of Amazon.com. Some of the files had been on the site since 2013, he said.
No password or username was required to access the files, he said.
The data cache contained material from the U.S. Army Intelligence and Security Command (INSCOM), a division of both the Army and the National Security Agency, UpGuard said in announcing the discovery. An NSA spokeswoman referred a reporter to INSCOM, which did not respond to phone and email queries.
A security researcher who once worked on cyber weapons at the NSA, Jake Williams, characterized the potential leak as major.
“Who is doing the security here? People need to be fired. Lots of them,” tweeted Williams, president of Rendition InfoSec, a cybersecurity firm based in Augusta, Georgia.
Whether potential adversaries downloaded the files is not known, but both Williams and UpGuard’s researcher said they believed the classified cache was likely compromised.
Vickery said anyone could have found the data who knew the usual structure of internet addresses for what are termed data buckets hosted by Amazon Web Services, simply preceding it with “inscom.”
“Come on, you’re telling me that our adversaries across the world would not have attempted to see if there was a bucket with that title? It’s hard to believe that they wouldn’t have looked,” Vickery said.
UpGuard said Vickery found 47 folders and files in the main repository, or bucket, of an area of Amazon Web Services holding the subdomain name “inscom.” They were contained in a virtual hard drive for a program named Red Disk, which fuses surveillance and reconnaissance data from satellite images and drones for soldiers fighting anywhere in the world.
One file provided instructions for “where to obtain additional Red Disk packages” and another offered “private keys used for accessing distributed intelligence systems,” perhaps by a now-defunct third-party contractor, Invertix, said UpGuard, headquartered in Mountain View, California.
All that was needed to provide limited protection to the data was to adjust the settings to give access only to authorized administrators, it said.
A series of leaks have dealt blows this year to several branches of the U.S. intelligence community and the Defense Department. One NSA contractor, Reality Winner, was arrested June 3 and charged with leaking an intelligence report about Russian meddling in the 2016 election to a news website. She faces up to nine years in prison.
The CIA also was hit with a leak of part of its cyber toolkit, which the radical transparency website WikiLeaks has been publishing in tranches since March.
Among those commenting on the discovery was Edward Snowden, the former NSA contractor who took exile in Moscow in 2013 after revealing sweeping NSA programs to collect telephone records of Americans and data on their browsing and email usage.
“The IC is broken,” Snowden tweeted, referring to the intelligence community.
UpGuard did not determine whether INSCOM operators or contractors working for Invertix failed to secure the cloud data cache. Amazon Web Services is not to blame as it requires clients to establish their privacy settings.
But UpGuard said failure by contractors to secure data is a “silent killer” for the defense establishment.
“The Defense Department must have full oversight into how their data is handled by external partners, and be able to react quickly should disaster strike,” the firm said.