Pentagon investigating server exposed to public

The Defense Department is digging into a computer server that a cybersecurity researcher discovered exposed a trove of internal U.S. military emails.

The Microsoft Azure server contained three terabytes of data, according to independent security researcher Anurag Sen, who shared some of the emails involving U.S. Special Operations Command with The Washington Times.

Navy Cmdr. Jessica McNulty, a Pentagon spokeswoman, said the department’s chief information officer and the Joint Force Headquarters-Department of Defense Information Network were investigating the matter to “understand the root cause of the exposure and why this problem was not detected sooner.”

She said in a statement Thursday night that the affected server was removed from public access on Feb. 20 and the Defense Department would notify personnel affected by the incident.  

“DoD takes this matter very seriously and will incorporate all lessons learned from this event to strengthen its cybersecurity posture,” Cmdr. McNulty said.

Mr. Sen said he identified the exposed server during a routine check. He said a likely human error meant the server was not password-protected and those who knew where to look would have had access after a misconfiguration occurred two weeks ago.

Precisely who had access to the exposed data is not fully known, nor is the precise number of internal military communications contained in the server.

“Due to its large size it was harder to get the exact counts of emails but there were a lot,” Mr. Sen said in a message.

Mr. Sen said he discovered the problem on Feb. 18 and turned that same day to the tech publication TechCrunch, which then alerted the U.S. government. He said he did not go directly to the U.S. government because he feared it may wrongly view him as a threat.

Mr. Sen had previously collaborated with TechCrunch’s Zach Whittaker, who has written that Mr. Sen is a “good-faith security researcher.”

Mr. Whittaker wrote that he contacted the U.S. government on Feb. 19, and he later heard from the U.S. Special Operations Command that no one had hacked SOCOM’s information systems.

Regarding whether the human error was attributable to Defense Department or Microsoft personnel, Mr. Sen said an internal review of the government’s logs ought to clarify who bore responsibility.

Microsoft declined to comment this week and referred questions to the Defense Department. The company did not immediately respond to questions Friday.

Hackers have previously used problems with Microsoft’s tech to create headaches for the Big Tech company’s customers. Microsoft Exchange Server software came under attack from the China-sponsored group Hafnium, Microsoft said in March 2021.

The Biden administration later pointed to China’s Ministry of State Security as being responsible for the attacks aimed at Microsoft Exchange Server email software. The U.S. government and several other countries formally attributed the cyberattacks to China in the summer of 2021.