A trove of US military data, described by security researchers as being “highly sensitive,” was reportedly unearthed on a publicly accessible Amazon server two months ago. The data apparently lacked even the basic protection offered by a password.
The leak, a portion of which is said to have exposed internal data and virtual systems pertaining to “classified communications,” includes roughly 100 gigabytes of information allegedly tied to a failed Army intelligence project, codenamed “Red Disk.”
Researchers say the breach further exposed the private keys of a former intelligence contractor—Invertix, now called Altamira Technologies—which specializes in surveillance and reconnaissance.
UpGuard, the cybersecurity firm that publicly disclosed the breach Tuesday morning, has attributed the leaked data to the US Army Intelligence and Security Command (INSCOM).
The military unit, which reports directly to the Army Deputy Chief of Staff for Intelligence, provides an array of intelligence-gathering capabilities, including the interception and analysis of communications and electronic signals, and conducts information and electronic warfare worldwide.
INSCOM is headquartered at Ft. Belvoir in Northern Virginia, which reportedly houses a garrison roughly twice the size of the Pentagon’s 23,000 staff.
At time of writing, Gizmodo had not independently confirmed the breach. UpGuard has previously disclosed dozens of data breaches, including some that reference classified information, as well as breaches involving private military and intelligence contractors.
An official at the INSCOM operations center in Virginia would neither confirm nor deny knowledge of a breach by phone. When asked for an email address in case Gizmodo had additional questions, the official declined to provide one, said “thank you,” and promptly hung up.
According to UpGuard, a virtual hard drive and Linux-based operating system were discovered on the leaky server, and though the researchers seemed unaware of its exact purpose, the company speculated it may be used to remotely access Defense Department data.
Some of the files contained configurations marked “Top Secret,” the highest level of classification in the US government, as well as “NOFORN,” which indicates sensitive material not to be shared with foreign nationals.
The purpose of the Red Disk project, to which most of the leaked data reportedly pertains, was to lend cloud computing capabilities to a US military intelligence network known as the Distributed Common Ground System (DCGS), with the purpose of allowing troops virtually anywhere in the world to access and exchange intelligence in real time.
Amazon Web Services storage servers have been involved in countless data breaches reported this year, though Amazon itself is hardly to blame. The servers leaking confidential data are typically misconfigured by the clients. Earlier this month, the company rolled out several new security features, including default encryption, with the hopes of keeping its customers safe—mostly from themselves, apparently.