A researcher discovered sensitive U.S. military files on an unsecured Amazon Web Services storage server earlier this month, once again exposing the carelessness federal agencies and their partners have at times exhibited when managing data.
Cybersecurity company UpGuard revealed the troubling discovery in a blog post on Wednesday, crediting the finding to its new cyber risk analyst Chris Vickery, known for his work with MacKeeper. According to UpGuard, the exposed files appear to be related to the US National Geospatial-Intelligence Agency (NGA), an agency within the Pentagon that collects and analyzes geographic information for national security purposes, such as satellite images and mapping data.
In the blog post, UpGuard cyber resilience analyst Dan O’Sullivan reported that although the files would normally require top secret-level security clearance from the Department of Defense to review, they were openly available to anyone could find it, stored in plain text in an Amazon S3 bucket, with no password protection.
“AWS S3 is a very popular cloud-based object storage service, and a staple of most AWS environments from the earliest days of the cloud service,” said Zohar Alon, co-founder and CEO of cloud infrastructure security company Dome9. “Yet security of S3 buckets to prevent accidental data exposure is often poorly understood and badly implemented by their users, even someone as technically savvy as an engineer with one of the world’s leading defense contractors.”
UpGuard could not definitively pinpoint the culprit who left the documents exposed; however, domain registrations and credentials found within the exposed dataset strongly suggest it was one of to two common NGA contractors, Booz Allen Hamilton (BAH) or Metronome. (The report seems to lean more forcefully toward BAH).
The NGA officially confirmed the breach, reported UpGuard, noting that the agency cut off access to the server a mere nine minutes after Vickery disclosed the problem on May 25 – “an impressively speedy response time from a major U.S. intelligence agency,” wrote O’Sullivan. Vickery said that he initially alerted Booz Allen Hamilton’s CISO, but failed to receive prompt response, only hearing from the contractor hours later.
Among the information Vickery found was the Secure Shell (SSH) keys of a BAH engineer, and credentials granting administrative access to at least one data center’s operating system, UpGuard reported.
“Unfortunately, data exposure is certainly not isolated to government contractors. Many organizations have lost the handle on where their most sensitive information lives, who has access to it, and who might be abusing their access,” said Brian Vecci, technical evangelist at data defense firm Varonis Systems.
“In the case of Booz Allen, it appears that some of the exposed sensitive information – passwords and SHH keys –would allow attackers to breach more secure systems, much in the same way attackers breached the Office of Personnel Management (OPM), accessing information on open file shares that opened up the mainframe system housing federal employee background information and fingerprint data.”
The report is another black eye for Booz Allen Hamilton, a firm is already inextricably linked to Edward Snowden, who leaked classified NSA documents while working for the contractor. Also, in late 2016, another BAH employee working on behalf of the NSA, Harold T. Martin III, was arrested for allegedly stealing classified documents in 2014.
Meanwhile, the U.S. government is also in damage control mode after both the CIA and NSA had their cyber surveillance tools publicly exposed by WikiLeaks and the Shadow Brokers hacking group, respectively.
“Coming on the heels of contentious debate in Washington over a series of national security leaks, this exposure of systems used to provision servers designed for handling intelligence data up to the classification of ‘Top Secret’ serves to highlight the even more common and potentially grave threat vectors presented by cyber risk — a state of affairs in which simple human error can be as damaging as outright malice,” O’Sullivan wrote in his blog post.
In an interview with Gizmodo, which reported that over 60,000 files were exposed, an NGA spokesperson said that the exposed information was sensitive in nature, but not classified. “NGA takes the potential disclosure of sensitive but unclassified information seriously and immediately revoked the affected credentials,” the agency spokesperson said.
Booz Allen Hamilton issued a statement as well, asserting that the incident would have a limited impact. “Both our client and Booz Allen have confirmed that no classified data was available on the impacted unclassified cloud environments,” the statement reads. “This appears to be a case in which an employee unintentionally left a key within an unclassified cloud environment where multiple users can develop software in an open environment. As soon as we learned of this mistake, we took action to secure the areas and alerted our client and began an investigation.”
SC Media has also reached out to Metronome for comment.