Exposed Military Emails Linked To Microsoft Azure: Reports
Wade Tyler Millward
Microsoft and the U.S. Department of Defense reportedly had a military email server exposed to the open internet.
Multiple news outlets report that Microsoft and the United States Department of Defense are investigating the exposure of a terabyte or more of military emails. The exposed server was secured Monday afternoon.
The data was stored in the Azure cloud computing service by Redmond, Wash.-based Microsoft. The data included personal information, at least one SF-86 form used for security clearances and conversations among officials, according to Bloomberg.
Part of the issue is a U.S. Special Operations Command server that was not password protected, according to Bloomberg. The public accessibility of the server may have been due to a configuration error. But it was unclear if the blame belonged to a Pentagon or Microsoft employee.
[RELATED: $9B Pentagon Cloud Contract Cuts Out Resellers, Could Involve SIs]
Reports: Microsoft, DoD Deal With Exposed Emails
CRN has reached out to Microsoft for comment.
A U.S. Cyber Command spokesman said in a statement that “as a matter of practice and operational security, we do not comment on the status of our networks and systems. Our defensive cyber operators proactively scan and mitigate the networks they manage. Should any incidents be discovered during these regular operations, we fully mitigate, protect, and defend our networks and systems. Any information or insight is shared with relevant agencies and partners if appropriate.”
“The Department of Defense DoD is aware of the potential exposure of DoD unclassified, commercially cloud-hosted data to the Internet over the past two weeks,” a Department of Defense spokesperson said. “The affected server was identified and removed from public access on February 20.”
Independent security researcher Anurag Sen discovered the leak over the weekend. TechCrunch reported the incident Tuesday. Although the server may have been exposed as early as Feb. 8.
The server was secured Monday after two weeks of exposure to the open internet, according to TechCrunch.
The server was part of an internal mailbox system storing about three terabytes of internal military emails.
U.S. Special Operations Command (SOCOM) doesn’t see signs that anyone has hacked its information systems, according to CNN.
The server was hosted on Azure’s government cloud for Defense Department customers – separate from other commercial customers to allow sharing of sensitive but unclassified data. The exposure meant anyone with a web browser could access the mailbox just with an internet protocol (IP) address, according to TechCrunch.
The SF-86 forms that may have been in the mailbox are valuable to hackers because they include sensitive personal and health information for vetting people to handle classified information. Suspected Chinese hackers in 2015 stole millions of sensitive background check files of government employees in a U.S. Office of Personnel Management data breach.
Investigators – led by the Pentagon’s Cyber Command and Microsoft – have not seen signs yet that the exposed data was accessed, according to Bloomberg.
The leak comes as Pentagon leaders push to move more data to the cloud. In December, the department approved Microsoft, Google parent Alphabet, Oracle and Amazon Web Services parent Amazon.com as contractors who can bid on individual task orders issued under a $9 billion cloud computing contract vehicle.
Microsoft’s other federal contract woes include the U.S. Congress’ rejection of the U.S. Army buying up to 6,900 combat goggles from the vendor. The rejection may have been a factor in Microsoft including HoloLens employees in its mass layoffs this year.
Sen, the researcher, previously discovered the Oracle subsidiary BlueKai was exposed to the open internet due to a passwordless server, TechCrunch reported in 2020.
Microsoft executives and partners as well as those of third-party security vendors such as CrowdStrike have long debated which is the most secure position for users – going all-in on Microsoft security offerings or seeking outside vendors for additional tools.
In March, the Lapsus$ ransomware hacker group reportedly breached internal source code repositories for Microsoft Azure DevOps.
In April, cloud security provider Wiz disclosed vulnerabilities in Azure Database for PostgreSQL Flexible Server.
In January, Orca Security reported vulnerabilities in four Microsoft Azure services, which posed the risk of leading to the exposure of customer data.