Tipsheet

Millions of Sensitive Pentagon Emails Accidentally Sent to a Russian Ally

We've all accidentally "replied all" to an email or sent a message to the wrong recipient a time or two, but most Americans likely haven't funneled millions of messages containing sensitive Department of Defense information to a foreign country that happens to be a close ally with Russia.

That is unfortunately the reality now being grappled with by Pentagon brass despite warnings going back nearly ten years that a common typo in email addresses was leading millions of sensitive DoD emails to inboxes not within the U.S. military but to addresses the West African nation of Mali. 

You see, the suffix for military emails is ".MIL" and the country identifier for Mali is ".ML" — and omitting the "i" is an easy enough mistake to make...with some significant consequences. 

As The Financial Times reminded this week, "millions of US military emails have been misdirected" through this "'typo leak' that has exposed highly sensitive information, including diplomatic documents, tax returns, passwords and the travel details of top officers."

What's more, "despite repeated warnings over a decade, a steady flow of email traffic continues to the .ML domain" after being "first identified almost a decade ago by Johannes Zuurbier, a Dutch internet entrepreneur who has a contract to manage Mali's country domain," FT explained. 

Earlier this month, Zuurbier warned American officials again that the "risk is real and could be exploited by adversaries of the US" because, as of Monday, control of Mali's domain reverted from the entrepreneur to the government of Mali "which is closely allied with Russia," reminded FT, meaning "Malian authorities will be able to gather the misdirected emails" and do with them what they please.

As for the content of the misdirected emails, FT said much of it is "spam and none is marked as classified." Still, "some messages contain highly sensitive data on serving US military personnel, contractors and their families."

Even this unclassified information in emails that end up in Mali would be a boon to U.S. adversaries, as FT explained based on comments from former NSA Director Mike Rogers:

Their contents include X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records.

Mike Rogers, a retired American admiral who used to run the National Security Agency and the US Army’s Cyber Command, said: “If you have this kind of sustained access, you can generate intelligence even just from unclassified information.”

“This is not uncommon,” he added. “It’s not out of the norm that people make mistakes but the question is the scale, the duration and the sensitivity of the information.”

[...]

Rogers warned the transfer of control to Mali posed a significant problem. “It’s one thing when you are dealing with a domain administrator who is trying, even unsuccessfully, to articulate the concern,” said Rogers. “It’s another when it’s a foreign government that . . . sees it as an advantage that they can use.”

A Pentagon spokesperson told FT that the Department of Defense "is aware of this issue and takes all unauthori[z]ed disclosures of controlled national security information or controlled unclassified information seriously," even though Zuurbier says he has collected more than 117,000 misdirected emails that ended up in Mali with "almost 1,000" arriving on one day last week.