Millions of US military emails were mistakenly sent to..., with a word difference mistakenly sent to Mali | Millions of US military emails
According to British media reports, over the years, millions of emails originally planned to be sent to the US military have been mistakenly sent to the African country of Mali, where the internet domain name suffix is ". ml", due to personnel mistakenly writing the address incorrectly when sending emails - mistakenly writing the US military email domain name suffix ". mil" as ". ml". The report stated that despite warnings issued by insiders for over a decade, the US government did not take this seriously, resulting in the leakage of non confidential but sensitive information.
One word difference, brewing an oolong
The domain name suffix for email addresses of US military personnel is ". mil", while the network domain name suffix for Mali is ". ml", which is very similar. According to a report by the Financial Times on the 17th, for many years, personnel have been continuously making mistakes in sending emails, resulting in millions of emails originally planned for the US military being mistakenly sent to Mali.
It is reported that there were both external and internal sources who sent the wrong email.
On the one hand, the mistakes were made by travel agents who served the US military. Some mistakenly sent emails also contain passport numbers sent by special issuing agencies of the United States Department of State.
Another contractor who made a mistake was the one who collaborated with the US military, reportedly involving hand grenade training ammunition produced by General Dynamics for the US military.
The Financial Times also reported that eight emails originally planned by the Australian Ministry of Defense to be sent to the United States were also sent incorrectly, including a report on the corrosion issue of the Australian F-35 fighter jet. The Australian Department of Defense responded by saying "no comment on security issues".
On the other hand, even insiders of the US government can make mistakes. For example, a FBI agent related to the US Navy attempted to send six messages to military email but mistakenly sent them to Mali. It included an urgent diplomatic letter from Türkiye to the US State Department, concerning the possible actions of the PKK against Türkiye's interests in the US.
This person also sent a series of domestic terrorism briefings in the United States labeled "official use only", as well as a global counter-terrorism situation assessment report labeled "not to be released to the public or foreign governments.".
Many people have mistakenly sent their account passwords used to access US Department of Defense archives, as well as recovery passwords for intelligence systems, to Mali.
It is reported that most emails are regular emails without any "confidential" information. However, some of the information involves highly sensitive data of active US military personnel and contractors, including medical information, identification information, crew lists, base staff lists, facility maps, base photos, naval inspection reports, contracts, criminal charges against personnel, internal investigations into bullying, official itineraries, tax and financial records.
For example, there are emails that have been sent incorrectly regarding the plans of US Army Chief of Staff James McConnell and his delegation to visit Indonesia in May this year. The specific information includes the hotels where McConnell's team stayed in Indonesia and the details of their check-in.
"This is not uncommon," said retired Navy Admiral Mike Rogers, who previously served as head of the US National Security Agency and the US Cyberspace Command.
But Rogers also pointed out the severity of this mistake. "If you continue to have this access, you can even obtain intelligence from non confidential information... making mistakes is human, but the problem is the size, duration, and sensitivity of the information."
Lasting for ten years without receiving much attention
It is reported that about 10 years ago, the Dutch Internet entrepreneur Johannes Zuerbir first discovered this problem. He signed a contract with Mali to manage the country's network domain name.
In 2013, when Zulbir took over the Mali network domain ". ml", he quickly noticed that emails were sent to non-existent addresses with domain suffixes such as "arm. ml" and "navy. ml". Afterwards, Zulbir established a system to receive such communication, but the system was quickly overwhelmed by a large amount of information and stopped functioning.
After realizing that these emails might have been sent to the wrong address, Zulbeer had multiple contacts with US officials, including a military officer stationed in Mali, a senior advisor to the US National Cybersecurity Agency, and even White House officials... but to no avail.
Since the beginning of this year, Zulbeer has once again started collecting emails that were mistakenly sent, attempting to persuade the US to take this issue seriously. During this period, he received nearly 117000 messages that were mistakenly sent, and even received nearly a thousand messages within a day.
In early July, Zulbeer wrote to the US side, "This risk is real and may be exploited by US opponents."
In response, US Department of Defense spokesperson Tim Goleman stated on the 17th that the Pentagon is aware of this issue and will take the leakage of relevant information seriously.
Pentagon Deputy Press Secretary Sabrina Singh also stated that the leaked emails were not sent from the official Defense Department email, but from personal email. The Pentagon has taken preventive measures and strongly opposes the use of personal email addresses for official purposes.
However, Gorman also acknowledges that the Pentagon cannot prevent external personnel from mistakenly sending emails to Mali, and all it can do is provide further guidance and training to internal personnel.
According to the BBC, current and former US officials have stated that US military communications marked as "confidential" and "top secret" are transmitted through different information technology systems and are unlikely to be leaked due to technical issues. However, human factors deserve attention.
However, this is not the first time this year that the US military has exposed such an issue. In February of this year, multiple US media outlets reported, citing senior Pentagon officials, that a configuration error on a US Department of Defense server in the past two weeks had led to the leakage of internal military emails, but did not involve confidential information.
Lee McKnight, a professor of information research at Syracuse University in the United States, commented on the latest developments and said that the US military should be grateful because domain name issues have already attracted attention. Moreover, these emails were mistakenly sent to Mali instead of falling into the hands of cybercriminals.
It is reported that the contract for managing the Malian network domain name ". ml" by Zulbir expires this week, and control of the domain name will also be transferred to the Malian government. At the same time, these mistakenly sent emails are also expected to be handed over to the Malian government.
Public opinion has noticed that the close relationship between the Malian government and Russia has made this deadlock even more subtle. Rogers believes that transferring control of the ". ml" domain name to the Malian government would bring significant problems. He said that this could become an advantage that foreign governments can leverage.
The Malian government has not yet responded to this.
Another noteworthy point is that not only the US military is at risk of sending the wrong email. The email domain name suffix ". nl" used by the Dutch military is also very similar to the network domain name suffix ". ml" in Mali