After uncovering a massive trove of social media-based intelligence left on multiple Amazon Web Services S3 storage buckets by a Defense Department contractor, the cloud security firm UpGuard has disclosed yet another major cloud storage breach of sensitive intelligence information. This time, the data exposed includes highly classified data and software associated with the Distributed Common Ground System-Army (DCGS-A), an intelligence distribution platform that DOD has spent billions to develop. Specifically, the breach involves software for a cloud-based component of DCGS-A called "Red Disk."

The Red Disk system was developed under an "urgent operational need" program aimed at delivering intelligence to troops with tablets and laptop computers on the ground in Afghanistan via a cloud computing architecture. The initiative was never fully deployed—and it slowly became a symbol of how defense contractors were mining emergency war funds from the military. DCGS-A continues to be expanded and deployed by the Army after more than a decade of continuous development.

UpGuard's director of cyber risk research, Chris Vickery, discovered the publicly accessible S3 storage "bucket" on September 27 in the AWS subdomain "inscom." INSCOM is the US Army's Intelligence and Security Command, the Army's internal operational intelligence branch based at Fort Belvoir in Virginia. INSCOM is also integrated into the National Security Agency's Central Security Service—connecting the Army's signals intelligence operations to the NSA.

The public bucket was accessible via the Web and had "47 viewable files and folders in the main repository, three of which were also downloadable," UpGuard reported in a blog post today. The largest downloadable file was an Open Virtual Appliance file named “ssdev.ova,” which contained a virtual hard drive and configuration data for a Red Hat Linux-based virtual machine. "While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems—an intrusion that malicious actors could have attempted had they found this bucket," UpGuard's research team noted.

Still, the contents of the virtual hard drive itself were highly sensitive. Some of the files were marked as "Top Secret/NOFORN"—meaning that they were not to be shared even with US allies. Metadata on the virtual drive shows that "the box was worked on in some capacity by a now-defunct third-party defense contractor named Invertix, a known INSCOM partner," including private encryption keys used for hashed passwords and for accessing DCGS that belonged to Invertix system administrators.

A screenshot of the directory list for the virtual drive also shows that the virtual appliance is configured with client code for Apache Accumulo, the key-value data store with cell-level security originally developed by the NSA (it's based on Google's BigTable). Other items on the virtual drive's partition suggest that the .ova was for an operator training virtual machine, including what appears to be training system software from the UK-based defense software company SyntheSys.

UpGuard

UpGuard

UpGuard

Other items accessible for download include a "ReadMe" document with instructions on how to use the .ova file and the location of other Red Disk installation packages and a Java .jar file that "appears to constitute a training snapshot for labeling and categorizing classified information, as well as assigning such data to 'regions,'" UpGuard noted. The training package could be used by an adversary to access and analyze data with the virtual appliance.

The mishandling of sensitive information in the cloud by military contractors has been an ever-expanding problem for the DOD and NSA. In September, UpGuard alerted DOD contractor TigerSwan that a former recruiting vendor had left the resumes of job applicants—including their security clearance data—in a misconfigured S3 storage bucket. And earlier this month, UpGuard revealed that VendorX, a company that provides a "multilingual social analytics platform" called Outpost to the DOD and Intelligence community, had left several S3 buckets with social media clippings publicly accessible.

In each of these cases, the leaks were caused by simple misconfiguration of permissions for the AWS virtual storage accounts. And as UpGuard's researchers noted, these problems are likely indicative of a much broader process issue among both government contractors and agencies themselves. "Given how simple the immediate solution to such an ill-conceived configuration is—simply update the S3 bucket’s permission settings to only allow authorized administrators access—the real question is, 'how can government agencies keep track of all their data and ensure they are correctly configured and secured?'" researchers wrote.

The answer seems to be fairly straightforward for systems like Red Disk—such items should probably never be put in a public cloud service at all.