Massive US military social media spying archive left wide open in Amazon Web Services (AWS) S3 buckets. Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing “dozens of terabytes” of social media posts and similar pages – all scraped from around the world by the US military to identify and profile persons of interest, according to a report from The Register.
“The UpGuard Cyber Risk Team can now disclose that three publicly downloadable cloud-based storage servers exposed a massive amount of data collected in apparent Department of Defense intelligence-gathering operations. The repositories appear to contain billions of public internet posts and news commentary scraped from the writings of many individuals from a broad array of countries, including the United States, by CENTCOM and PACOM, two Pentagon unified combatant commands charged with US military operations across the Middle East, Asia, and the South Pacific,” UpGuard said on its website.
The buckets’ AWS subdomain names – “centcom-backup,” “centcom-archive,” and “pacom-archive” – provide an immediate indication of the data repositories’ significance. CENTCOM refers to the US Central Command, based in Tampa, Fla. and responsible for US military operations from East Africa to Central Asia, including the Iraq and Afghan Wars. PACOM is the US Pacific Command, headquartered in Aiea, HI and covering East, South, and Southeast Asia, as well as Australia and Pacific Oceania.
According to UpGuard, there are further clues as to the provenance of these data stores. A “Settings” table in the bucket “centcom-backup” indicates the software was operated by employees of a company called VendorX, complete with a listing of the details of a number of developers with access. While public information about this firm is scant, an internet search reveals multiple individuals who worked for VendorX describing work building Outpost for CENTCOM and the Defense Department:
This external reference to “Outpost” as a Pentagon social engineering effort built by VendorX appears to be corroborated by the contents of “centcom-backup,” which, besides, the references to VendorX in the “Settings” table, contains a folder titled “outpost.”