Tens of gigabytes of files apparently belonging to the United States Army Intelligence and Security Command (INSCOM), including classified information, were stored in an unprotected AWS S3 bucket, cyber resilience firm UpGuard reported on Tuesday.
According to the company, its director of cyber risk research, Chris Vickery, discovered the data on an AWS subdomain named “inscom” in late September.
Fort Belvoir, Virginia-based INSCOM is an intelligence command operated by both the U.S. Army and the National Security Agency (NSA).
The AWS storage container found by UpGuard included, among others, a virtual machine image that may have been used to send, receive and handle classified data. Some of the files contained in the VM were marked as “Top Secret” and “NOFORN,” which indicates that the information cannot be shared with foreign nationals.
Metadata found by researchers indicated that a now-defunct defense contractor named Invertix had worked in some capacity on the data stored in the virtual machine. The files in the bucket also included Invertix private keys and other data that could have provided access to the contractor’s internal systems, UpGuard said.
The exposed files also included information on a failed Army program named “Red Disk.” The $93 million program, designed to allow troops to exchange information in real time, was a cloud computing component of the Distributed Common Ground System–Army (DCGS-A) intelligence platform. The misconfigured container also stored details on the DCGS-A itself.
“Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser,” said UpGuard’s Dan O’Sullivan.
“It is unnecessary to speculate as to the potential value of such an exposed bucket to foreign intelligence services or malicious individual actors; the care taken to classify sections of the exposed virtual drive as ‘Top Secret’ and ‘NOFORN’ provide all the indications necessary to determine how seriously this data was taken by the Defense Department,” he added.
INSCOM has not responded to SecurityWeek’s request for comment. The data is no longer accessible, but it’s still unclear who is responsible for exposing it.
This is not the first time UpGuard claims to have found data belonging to the Pentagon and other U.S. government organizations. The list of impacted agencies includes the National Geospatial-Intelligence Agency (NGA), the Central Command (CENTCOM) and the Pacific Command (PACOM), the Secret Service, and the Department of Homeland Security (DHS).
The common denominator in these incidents were unprotected S3 buckets operated by third-party contractors.
UPDATE. INSCOM has provided the following statement to SecurityWeek:
The U.S. Army is aware of reports claiming data was found on a third-party data server. We are investigating the matter and are unable to provide any additional information at this time.
It is important to stress that an Army network was not breached. The Army is always actively trying to strengthen its cyberspace posture and the responsible handling of sensitive information related to military programs.
Related: AWS Bucket Leaks Viacom Critical Data
Related: Accenture Exposed Data via Unprotected Cloud Storage Bucket
