The U.S. Department of Defense inadvertently leaked thousands of sensitive military emails via a misconfigured email server on the Microsoft Azure government cloud. The cloud service hosts unclassified government data and is separate from the Azure commercial cloud services.
According to independent security researcher Anurag Sen, the exposed email server leaked three terabytes of U.S. Special Operations Command (USSOCOM) internal emails for two weeks. The military’s internal mailbox system was accessible without a password to anyone with a web browser, internet access, and knowledge of the IP address.
Tight-lipped Pentagon denies being hacked
When contacted, a U.S. Cyber Command spokesman refused to divulge more information citing “a matter of practice and operational security.”
However, he claimed that Pentagon’s “defensive cyber operators proactively scan” and mitigate their networks.
“Should any incidents be discovered during these regular operations, we fully mitigate, protect, and defend our networks and systems,” he added. “Any information or insight is shared with relevant agencies and partners if appropriate.”
USSOCOM spokesperson Ken McGraw also said an ongoing investigation found no evidence that the military department was hacked.
Military emails leaked via Azure Government cloud had sensitive information
Describing the leaked military emails as “unclassified, commercially cloud-hosted data,” the Department of Defense said it was aware of the incident, adding that the Azure Government cloud was successfully removed from public reach.
Nevertheless, the Microsoft Azure government cloud exposed military emails with sensitive information, including a fully completed SF-86 questionnaire containing personal and health information required for security clearance. That information, which includes family information, foreign contacts, educational background, work history, living arrangements, psychological data, religious affiliation, Social Security Numbers, and addresses, would be invaluable to adversaries for targeting and infiltration. However, TechCrunch confirmed that the leaked military emails had no classified information.
It was unclear how the Azure Government cloud was exposed, but people familiar with the matter suggested human error was to blame.
Worryingly, neither Microsoft nor the Pentagon knew that sensitive military emails were leaking to the internet via a misconfigured government cloud for two weeks. No party has taken responsibility for the leak that could likely compromise critical military assets and jeopardize special operations.
Such leaks will only increase as the Pentagon pushes more workloads to the government cloud.
“The cloud has made it easier than ever before to share data, but more digital data means more opportunity for cybercrime — period,” said Amit Shaked, CEO and co-founder of Laminar. “The cloud is designed to easily share information over the internet and is subject to human error mistakes as appears to be in this case, but in addition, organizations are able to quickly spin up data stores, especially in buckets or blob storage without IT or security being aware.”
In December 2022, the DoD cleared Microsoft, Google, Oracle, and Amazon Web Services to jointly bid for a $9 billion contract to build a more extensive government multi-vendor cloud infrastructure, the Joint Warfighting Cloud Capability (JWCC). Unlike its predecessor, the JEDI project, the joint multi-cloud contract would have each vendor bidding on individual tasks instead of the whole project.
Microsoft had independently won the $10 billion contract, but the DoD canceled it after Amazon challenged the award. Although individual bidders could still protest after losing task orders, the Department of Defense intends to avoid endless legal challenges that could derail the whole project. Additionally, the Pentagon wants to maintain direct access to primary vendors while avoiding vendor lock, intermediaries, and resellers.
Microsoft, which plans to build the Azure Government Secret and Azure Government Top Secret clouds, could significantly suffer in the bidding process for failing to detect and prevent the leak.
The tech giant hails Defender for Cloud as “contextual security posture management” capable for Azure, AWS, and Google Cloud. Additionally, it can perform vulnerability scanning across workloads, identify critical risks, and prioritize security alerts and remediation. Nevertheless, the Redmond, Washington-based tech giant describes itself as “ahead of the curve” and “in a strong position” to meet all JWCC requirements, with services built “on a foundation of cybersecurity.”
Although Microsoft may be partly to blame, a DoD cloud security compliance audit report found that every military branch failed to review commercial cloud services.
“Visibility into where companies’ data resides — and where it goes — is critical. Unfortunately, however, many companies don’t have a full picture of where sensitive data resides. This unknown or ‘shadow’ data is growing and a top concern for nearly all data security professionals,” Shaked added.
