Stylized image of NSA HQ

Ten days after an Amazon S3 server exposed data from the US Army's CENTCOM and PACOM divisions, security researchers have identified another S3 server instance that leaked files from INSCOM, a joint US Army and NSA agency tasked with conducting intelligence, security, and information operations.

Just like the last Army leak, the exposed servers were found by the UpGuard team, who identified an S3 server hosting a small number of files and folders, three of which were freely downloadable.

Researchers find VM holding classified information

Of these three, researchers said that one was an Oracle Virtual Appliance (.ova) file that was an image of a virtual machine running a Linux-based operating system and an attached virtual hard drive.

Researchers were not able to boot the OS or access any of the files stored on the virtual hard drive. This was most likely because the OS boot-up process was conditioned to accessing services that were only accessible from the Department of Defense's (DOD) internal network, a classic method of securing sensitive systems.

Nonetheless, the metadata of files stored on the virtual hard drive allowed researchers to determine the SSD image held troves of highly sensitive files, some of which were classified with the TOP SECRET and NOFORN (NO FOReign Nationals) security classifiers.

Metadata from one of the files found inside the leaked VM image file
Metadata from one of the files found inside the leaked VM image file [Source: UpGuard]

Leaked files contained remnants of old Red Disk platform

In addition, a folder in the same VM image also indicated that the system was also part of Red Disk, a cloud computing platform that was part of the Distributed Common Ground System-Army (DCGS-A), a "battlefield intelligence platform" developed by the DOD.

Red Disk was supposed to aggregate data from the main DCGS-A network, index it, and allow US Army operatives to access and search the data in real-time, based on their access level.

The DOD paid an estimated $93 million for Red Disk and hoped to have it in hand to help troops deployed in Afghanistan, but early tests showed the platform was incredibly slow, and mostly hindered existing operations. The project never made it out of the testing stage, and the DOD eventually scraped it in 2014.

UpGuard, who previously found other US government information exposed online, said this was the first time it discovered classified information left freely accessible on Amazon S3 servers.

"Regrettably, this cloud leak was entirely avoidable, the likely result of process errors within an IT environment that lacked the procedures needed to ensure something as impactful as a data repository containing classified information not be left publicly accessible," said the UpGuard team. "Given how simple the immediate solution to such an ill-conceived configuration is [...] the real question is, how can government agencies keep track of all their data and ensure they are correctly configured and secured?"