Black Box, Red Disk: How Top Secret NSA and Army Data Leaked Online
By Dan O'Sullivan, UpGuard
November 29, 2017
Among the most compelling downloadable assets revealed from within the exposed bucket is a virtual hard drive used for communications within secure federal IT environments, which, when opened, reveals classified data labeled NOFORN - a restriction indicating a high level of sensitivity, prohibited from being disseminated even to foreign allies. The exposed data also reveals sensitive details concerning the Defense Department’s battlefield intelligence platform, the Distributed Common Ground System - Army (DCGS-A) as well as the platform’s troubled cloud auxiliary, codenamed “Red Disk.”
This cloud leak follows a number of previous Cyber Risk Team reports detailing Pentagon data exposures from within the US Central Command, US Pacific Command, and the National Geospatial-Intelligence Agency, a Defense Department agency tasked with acquiring and analyzing satellite imagery intelligence. Such continual and apparently accidental exposure of classified national security data to the wider internet is proof that even the most secretive corners of the IT landscape are not immune to the cyber risks befalling any enterprise operating at scale.
In order to stop and shift away from the regular revelations of another exposed intelligence operation, federal stakeholders must begin to regain control of their systems, reducing their complexity by gaining full visibility into the complex workings of the government’s cyber presence.
On September 27th, 2017, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3 cloud storage bucket configured for public access. Set to allow anyone entering the URL to see the exposed bucket’s contents, the repository, located at the AWS subdomain “inscom,” contained 47 viewable files and folders in the main repository, three of which were also downloadable. The subdomain name provides some indication as to the provenance of the data: INSCOM, an intelligence command overseen by both the US Army and the NSA.
The three downloadable files contained in the bucket confirm the highly sensitive nature of the contents, exposing national security data, some of it explicitly classified.
The largest file is an Oracle Virtual Appliance (.ova) file titled “ssdev,” which, when loaded into VirtualBox, is revealed to contain a virtual hard drive and Linux-based operating system likely used for receiving Defense Department data from a remote location. While the virtual OS and HD can be browsed in their functional states, most of the data cannot be accessed without connecting to Pentagon systems - an intrusion that malicious actors could have attempted, had they found this bucket.
However, the properties of files revealed in this hard drive contain areas and technical configurations clearly marked as “Top Secret,” as well as the additional intelligence classification of “NOFORN,” a stipulation which means the data is so sensitive, it cannot even be shared with foreign allies. The hard drive contains six such partitions, varying in size from 1 GB to 69 GB, and contains indications in its metadata that the box was worked on in some capacity by a now-defunct third-party defense contractor named Invertix, a known INSCOM partner. Finally, also exposed within are private keys used for accessing distributed intelligence systems, belonging to Invertix administrators, as well as hashed passwords which, if still valid and cracked, could be used to further access internal systems.
While the specific purpose of the virtual drive’s partitions are unclear, the file appears to be of use for receiving, transmitting, and handling classified data. A folder within the hard drive reveals a human-configured installation of files for use with Red Disk, a troubled Defense Department cloud intelligence platform partially integrated into the Pentagon’s DCGS-A program.
The second downloadable file, a plaintext ReadMe document stored within the virtual hard drive, provides indications of instruction for the contents of the .ova and where to obtain additional Red Disk packages.
The final downloadable file, a compressed .jar titled “rtagger,” appears to constitute a training snapshot for labeling and categorizing classified information, as well as assigning such data to “regions.” Such a function would be of vital use for the remote receipt and analysis of classified information, possibly via a virtual appliance of the sort already discussed.
Plainly put, the digital tools needed to potentially access the networks relied upon by multiple Pentagon intelligence agencies to disseminate information should not be something available to anybody entering a URL into a web browser. Although the UpGuard Cyber Risk Team has found and helped to secure multiple data exposures involving sensitive defense intelligence data, this is the first time that clearly classified information has been among the exposed data.
It is unnecessary to speculate as to the potential value of such an exposed bucket to foreign intelligence services or malicious individual actors; the care taken to classify sections of the exposed virtual drive as “Top Secret” and “NOFORN” provide all the indications necessary to determine how seriously this data was taken by the Defense Department. Finally, the subdomain name for the S3 bucket, “INSCOM,” provides little ambiguity to any bad guys seeking to determine the data’s significance.
If, then, such a high level of sensitivity is inherent to the data, how could it be exposed? Regrettably, this cloud leak was entirely avoidable, the likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible. Given how simple the immediate solution to such an ill-conceived configuration is - simply updated the S3 bucket’s permission settings to only allow authorized administrators access - the real question is, how can government agencies keep track of all their data and ensure they are correctly configured and secured?
Doing so requires full visibility into the real-time state of all relevant IT systems, as well as possessing the necessary oversight and ability to make changes when necessary. Unfortunately, the indications that some of the data in the bucket had been access and worked upon by Invertix, the external third-party vendor, provides some indication of another difficulty faced in regaining trust in digital systems.
Third-party vendor risk remains a silent killer for enterprise cyber resilience. The transfer of information to an external contractor, such as Invertix, exposes the originating enterprise (in this case, INSCOM) to the consequences of a breach, but without direct oversight of how the data is handled. Invertix has since merged into a new corporation, Altamira, which registers a CSTAR score of 513. If the right hand does not know what the left hand is doing, the entire body will be injured. The Defense Department must have full oversight into how their data is handled by external partners, and be able to react quickly should disaster strike.