A misconfigured Amazon Web Services server operated by the U.S. Army’s Intelligence and Security Command was publicly available on the open internet, according to findings by UpGuard researcher Chris Vickery.
The hard drive’s content, which included classified material belonging to the National Security Agency, was stored on a unprotected, unlisted server, containing information about an outdated Army intelligence sharing project codenamed “Red Disk.”
Red Disk represents a defunct project that was previously spearheaded by INSCOM in order to improve one of the Army’s legacy platforms known as the distributed common ground system (DCGS). Red Disk was meant to act as a customizable cloud system for soldiers and other operators in field to access, organize and share active reports regarding military activities, including information gathering efforts.
The publicly accessible files provide an overview of how Red Disk functioned and could have been deployed. Other confidential information stored on the disk image included a mention of applications used inside Red Disk as well as a series of private keys owned by a contractor that appear to have been used by the platform in order for the database to connect to other servers on the intelligence community’s own networks.
In practice, soldiers would have been able to log into Red Disk from laptops on the battlefield to view drone footage, confidential battle reports, satellite imagery and intercepted messages from adversaries that were fed into the system by defense and intelligence collection agencies like the NSA.
Although the Pentagon spent more than $90 million on the development and implementation of Red Disk, the system was never fully deployed in the field due to technical issues that hindered the rapid sharing of information.
Users often misconfigure or simply misunderstand certain settings in AWS S3 setup, which can subsequently result in the publication of sensitive information on the public internet.
Other U.S. military and intelligence outposts — such as U.S. Central Command, U.S. Pacific Command and the National Geospatial Intelligence Agency — have made similar data storage mistakes that were also identified by Vickery. He has also found similar errors at Booz Allen Hamilton, Verizon, and Viacom.
Vickery notified the Department of Defense in October about the discovery of this open storage bucket. It’s not clear if anyone else besides Vickery accessed the files since they first came online.