The U.S. Special Operations Command (SOCOM) has launched an investigation this week to find out how it left an exposed email server that was leaking sensitive but unclassified emails online. The leak was discovered in early February after a cybersecurity researcher alerted the command.
Special Operations Command spokesperson Ken McGraw told CNN in an email that SOCOM had “initiated an investigation into information we were provided about a potential issue with the command’s Cloud service.”
“The only other information we can confirm at this point is no one has hacked US Special Operations Command’s information systems,” McGraw added.
SOCOM has troops forward deployed in dozens of countries worldwide on any given day.
The leak was discovered by Anurag Sen, a good-faith security researcher whose specialty is discovering sensitive data that is left unprotected online. He alerted TechCrunch about it so that they could alert the military and SOCOM.
Sen discovered that the SOCOM server was packed with military emails, some of which were several years old and contained sensitive personnel information. One of the most potentially damaging files included a completed SF-86 questionnaire.
Related: A deep look at the SIG Rattler, SOCOM’s new personal defense weapon
The SF-86 questionnaires are 136 pages long and can be used to conduct security clearance investigations for individuals (government employees, contractors, and military) who require access to classified information. The form also determines an individual’s eligibility for access to other sensitive information or programs. SF-86 questionnaires contain significant background information on security clearance holders that would be valuable to foreign adversaries.
It appears the leak was caused by a misconfiguration attributed to human error.
The misconfiguration with a Department of Defense (DOD) server hosted on Microsoft Azure’s government cloud allowed the email server to be accessed without a password. Yet, the server did not contain any classified material, as SOCOM classified networks are not accessible from the internet.
A spokesman for the U.S. Cyber Command (CYBERCOM) answered a query from The Hill stating that “As a matter of practice and operational security, we do not comment on the status of our networks and systems. Our defensive cyber operators proactively scan and mitigate the networks they manage.”
“Should any incidents be discovered during these regular operations, we fully mitigate, protect, and defend our networks and systems. Any information or insight is shared with relevant agencies and partners if appropriate,” the spokesman added.
Feature Image U.S. Air Force photo by Staff Sgt. Kate Thornton
Read more from Sandboxx News
- That time Special Forces trained in the New Orleans Super Dome
- SOCOM’s new prop-driven attack plane can actually help counter China
- Special Forces test an Israeli mortar system that will make them more lethal and survivable
- Were there rivalries in the Delta Force ranks?
- This LVAW is SOCOM’s overpowered answer to the SMG
Tom Maher says
You make a valid point. It is concerning that such a vulnerability in a Department of Defense server could be discovered through a simple method like Google Dorking or SHODAN. Government agencies must stay updated with essential internet security tools and protocols.
The fact that DOD leadership reportedly directed presenters to remove essential internet security topics like SHODAN and Google Dorking from briefings is especially concerning. It suggests a lack of awareness or understanding of government systems’ potential risks and vulnerabilities and the need for adequate measures to protect sensitive data.
To prevent similar breaches from occurring in the future, it is crucial for government agencies to invest in proper training and education for employees and to stay up to date with the latest security tools and protocols. It is also vital for agencies to conduct regular security audits and assessments to identify and address potential vulnerabilities proactively.
John Tanner says
It is concerning to hear that the U.S. Special Operations Command (SOCOM) left an email server exposed, allowing sensitive but unclassified emails to leak online. The fact that the server was accessed without a password due to a misconfiguration attributed to human error highlights the importance of proper security measures and protocols to protect sensitive data.
This breach also brings attention to the more significant issue of cybersecurity within the federal government. Downgrading educational requirements for certain government positions, such as those within the General Schedule (GS) system, could lead to a less-educated workforce that may not have the necessary skills to secure government systems properly.
It is also troubling to hear that essential internet security topics like SHODAN, TheHarvester, and Censys were reportedly removed during recent AI and cybersecurity briefings. These tools can be helpful for security professionals to identify vulnerabilities and assess the security posture of systems. Removing them from briefings could potentially hinder the ability of security professionals to adequately secure systems and prevent similar breaches from occurring in the future.
While SOCOM has confirmed that no one has hacked their information systems, it is unknown whether this vulnerability was exploited before the discovery by the security researcher or if a backdoor Trojan has been installed. Digital forensics analysis would be necessary to make that determination. It is vital for SOCOM and other government agencies to conduct thorough investigations and take steps to ensure that similar breaches do not occur in the future.