An email server used by the United States Special Operations Command (SOCOM) on Microsoft Azure’s GovCloud was found publicly accessible without a password by anyone who knew the IP address. The email server was operated for an unknown time, but reportedly had over 3 terabytes of data and sensitive emails.
The story was first reported by TechCrunch and security researcher Anurag Sen, who found the exposed server, alerted the Pentagon, and reported the findings only after the server was secured.
The email server was hosted on Microsoft Azure’s GovCloud, an isolated cloud infrastructure environment designed to host sensitive workloads for the Department of Defense. Azure’s GovCloud is separate from the commercially used or consumer use of Azure used by private enterprises and organizations.
However, the isolated GovCloud infrastructure is not secured by obscurity but is still subject to a shared security responsibility model. Thus, the onus is on customer cloud administrators to perform due diligence and ensure their workloads are secured properly.
Anurag Sen believes the email server was left unsecured most likely by “human error.” Once anyone knew the IP address of the web server, they would be able to access all emails hosted on the email server. All three terabytes of them.
“It was that simple,” Sen said.
Pentagon starts damage control after SOCOM email exposure
Multiple media outlets reached out to the Pentagon and US Cyber Command (CYBERCOM) for comment after the news broke.
“As a matter of practice and operational security, we do not comment on the status of our networks and systems. Our defensive cyber operators proactively scan and mitigate the networks they manage. Should any incidents be discovered during these regular operations, we fully mitigate, protect, and defend our networks and systems. Any information or insight is shared with relevant agencies and partners if appropriate,” a CYBERCOM spokesperson said in a statement to DefenseScoop.
DOD CIO wants security changes for CSPs in fallout
The Pentagon’s chief information officer John Sherman is preparing to potentially direct changes in security measures that govern cloud service providers (CSP) hosting DOD workloads as a result.
First among his concerns is how, and why, this was not detected sooner.
Microsoft Azure, Amazon Web Services (AWS), Google Cloud (GCP), and Oracle are all able to provide cloud-hosted workloads for the DOD under the Joint Warfighting Cloud Capability (JWCC) contract. Each cloud service provider is competing for individual task orders, as JWCC is an indefinite delivery, indefinite quantity (IDIQ) contract.
