[ad_1]
Millions of US military emails have been erroneously sent to Mali through a “typo leak” that exposed highly sensitive information including diplomatic documents, tax returns, passwords and travel details of top officials.
Despite repeated warnings for more than a decade, there has been a steady flow of email traffic to .ML domains, the country identifier for Mali, resulting in people using .MIL, which is the suffix of all US military email addresses, misspell.
The problem was first identified nearly a decade ago by Johannes Zurbier, a Dutch Internet entrepreneur who has a contract to manage the country domain for Mali.
Zurbier has been collecting misdirected emails since January in an effort to persuade the US to take the issue seriously. He has about 117,000 erroneous messages – about 1,000 came on Wednesday alone. In a letter sent to the US in early July, Zurbier wrote: “This risk is real and could be exploited by America’s adversaries.”

Control of the .ML domain will return on Monday from Zurbier to the government of Mali, which is closely allied with Russia. When Zurbier’s 10-year management contract expires, Malian authorities will be able to collect the erroneously sent emails. The Malian government did not respond to requests for comment.
Zurbier, managing director of Amsterdam-based Mali Dilly, has repeatedly contacted US officials, including a defense attaché in Mali, a senior adviser to the US National Cyber Security Service and even White House officials .
Most of the email flow is spam and none is marked as classified. But some of the messages include highly sensitive data on serving US military personnel, contractors and their families.
Their contents included X-ray and medical data, identification document information, crew lists for ships, lists of employees at bases, maps of installations, photographs of bases, Navy inspection reports, contracts, criminal complaints against personnel, bullying Includes internal investigation, official travel. Itineraries, bookings, and tax and financial records.
Mike Rogers, a retired US admiral who used to run the National Security Agency and the US military’s Cyber Command, said: “If you have that kind of continuous access, you can generate intelligence even just from unclassified information.”
“It’s not unusual,” he said. “It is not in general that people make mistakes but the question is of scale, duration and sensitivity of the information.”
A misdirected email this year contained travel plans for US Army Chief of Staff General James McConville and his delegation for an upcoming trip to Indonesia in May.
The email included a complete list of room numbers, itineraries for McConville and 20 others, as well as details of a collection of McConville’s room keys at the Grand Hyatt Jakarta, where he had received a VIP upgrade to a lavish suite.
Rogers warned that the transfer of control to Mali is a significant problem. “It’s one thing when you’re dealing with a domain administrator who is unsuccessfully trying to raise a concern,” Rogers said. “It is another matter when it is a foreign government. , , They see it as an advantage they can use.”
Pentagon spokesman Lt. Commander Tim Gorman said the Defense Department “is aware of this issue and takes seriously all unauthorized disclosures of controlled national security information or controlled unclassified information”.
He added that emails sent directly from .mil domains to Malian addresses “are blocked before leaving the .mil domain and the sender is informed that they must validate the email addresses of the intended recipients”.
When Zurbier – who has managed similar operations for Tokelau, the Central African Republic, Gabon and Equatorial Guinea – took over the Mali country code in 2013, he quickly responded to requests for domains such as army.ml and navy.ml. Noticed, which did not exist. , Suspecting that it was actually email, he set up a system to capture any such correspondence, which quickly became overwhelmed and stopped collecting messages.
Zurbier says that, after realizing what was happening and seeking legal advice, he made repeated efforts to alert the US authorities. He told the Financial Times that he had given his wife a copy of the legal advice “just in case black helicopters landed in my backyard”.
His efforts to raise the alarm included enlisting the help of Dutch diplomats in 2014 to join a trade mission to the Netherlands. In 2015, he made another attempt to alert the US authorities, but to no avail. Zurbier began collecting emails with false addresses once again this year in a last-ditch effort to alert the Pentagon.
The flow of data shows some systematic sources of leakage. Travel agents who work for the military routinely misspell emails. Employees sending email between their accounts is also a problem.
An FBI agent with a naval role demanded six messages be forwarded to his military email — and was sent to Mali by mistake. One of these included an urgent Turkish diplomatic letter to the US State Department about possible operations by the militant Kurdistan Workers’ Party (PKK) against Turkish interests in the US.

The same person also forwarded a series of briefings on domestic US terrorism marked “For official use only” and a global counterterrorism assessment titled “Not eligible for release to the public or foreign governments”. Also included was a “sensitive” briefing on efforts by Iran’s Islamic Revolutionary Guards Corps to use Iranian students and the Telegram messaging app to spy on the US.
Gorman told the FT: “While it is not possible to implement technical controls to prevent the use of personal email accounts for government business, the department continues to provide direction and training to DoD personnel.”
About a dozen people mistakenly requested recovery passwords for intelligence community systems to be sent to Mali. Others sent the passwords needed to access documents hosted on the Defense Department’s Secure Access File Exchange. FT didn’t try to use the password.
Many of the emails are from private contractors working with the US military. Twenty regular updates from defense contractor General Dynamics related to the production of grenade training cartridges for the military.
Some of the emails contained passport numbers sent by the State Department’s Special Issuing Agency, a unit that issues documents to diplomats and others traveling on official business for the US.
The Dutch Army uses the domain army.nl, which is one keystroke away from army.ml. There are more than a dozen emails from serving Dutch personnel that include discussions with Italian counterparts about taking ammunition to Italy and detailed exchanges on Dutch Apache helicopter crews in the US.
Others included a discussion of future military procurement options and a complaint about the Dutch Apache unit’s possible vulnerability to cyberattacks.
The Dutch Defense Ministry did not respond to a request for comment.
Eight emails from the Australian Department of Defense, intended for US recipients, went astray. These included a presentation about corrosion problems affecting Australian F-35s and an artillery manual “carried by command post officers to each battery”.
The Australian Ministry of Defense said it “does not comment on security matters”.
[ad_1]
Millions of US military emails have been erroneously sent to Mali through a “typo leak” that exposed highly sensitive information including diplomatic documents, tax returns, passwords and travel details of top officials.
Despite repeated warnings for more than a decade, there has been a steady flow of email traffic to .ML domains, the country identifier for Mali, resulting in people using .MIL, which is the suffix of all US military email addresses, misspell.
The problem was first identified nearly a decade ago by Johannes Zurbier, a Dutch Internet entrepreneur who has a contract to manage the country domain for Mali.
Zurbier has been collecting misdirected emails since January in an effort to persuade the US to take the issue seriously. He has about 117,000 erroneous messages – about 1,000 came on Wednesday alone. In a letter sent to the US in early July, Zurbier wrote: “This risk is real and could be exploited by America’s adversaries.”

Control of the .ML domain will return on Monday from Zurbier to the government of Mali, which is closely allied with Russia. When Zurbier’s 10-year management contract expires, Malian authorities will be able to collect the erroneously sent emails. The Malian government did not respond to requests for comment.
Zurbier, managing director of Amsterdam-based Mali Dilly, has repeatedly contacted US officials, including a defense attaché in Mali, a senior adviser to the US National Cyber Security Service and even White House officials .
Most of the email flow is spam and none is marked as classified. But some of the messages include highly sensitive data on serving US military personnel, contractors and their families.
Their contents included X-ray and medical data, identification document information, crew lists for ships, lists of employees at bases, maps of installations, photographs of bases, Navy inspection reports, contracts, criminal complaints against personnel, bullying Includes internal investigation, official travel. Itineraries, bookings, and tax and financial records.
Mike Rogers, a retired US admiral who used to run the National Security Agency and the US military’s Cyber Command, said: “If you have that kind of continuous access, you can generate intelligence even just from unclassified information.”
“It’s not unusual,” he said. “It is not in general that people make mistakes but the question is of scale, duration and sensitivity of the information.”
A misdirected email this year contained travel plans for US Army Chief of Staff General James McConville and his delegation for an upcoming trip to Indonesia in May.
The email included a complete list of room numbers, itineraries for McConville and 20 others, as well as details of a collection of McConville’s room keys at the Grand Hyatt Jakarta, where he had received a VIP upgrade to a lavish suite.
Rogers warned that the transfer of control to Mali is a significant problem. “It’s one thing when you’re dealing with a domain administrator who is unsuccessfully trying to raise a concern,” Rogers said. “It is another matter when it is a foreign government. , , They see it as an advantage they can use.”
Pentagon spokesman Lt. Commander Tim Gorman said the Defense Department “is aware of this issue and takes seriously all unauthorized disclosures of controlled national security information or controlled unclassified information”.
He added that emails sent directly from .mil domains to Malian addresses “are blocked before leaving the .mil domain and the sender is informed that they must validate the email addresses of the intended recipients”.
When Zurbier – who has managed similar operations for Tokelau, the Central African Republic, Gabon and Equatorial Guinea – took over the Mali country code in 2013, he quickly responded to requests for domains such as army.ml and navy.ml. Noticed, which did not exist. , Suspecting that it was actually email, he set up a system to capture any such correspondence, which quickly became overwhelmed and stopped collecting messages.
Zurbier says that, after realizing what was happening and seeking legal advice, he made repeated efforts to alert the US authorities. He told the Financial Times that he had given his wife a copy of the legal advice “just in case black helicopters landed in my backyard”.
His efforts to raise the alarm included enlisting the help of Dutch diplomats in 2014 to join a trade mission to the Netherlands. In 2015, he made another attempt to alert the US authorities, but to no avail. Zurbier began collecting emails with false addresses once again this year in a last-ditch effort to alert the Pentagon.
The flow of data shows some systematic sources of leakage. Travel agents who work for the military routinely misspell emails. Employees sending email between their accounts is also a problem.
An FBI agent with a naval role demanded six messages be forwarded to his military email — and was sent to Mali by mistake. One of these included an urgent Turkish diplomatic letter to the US State Department about possible operations by the militant Kurdistan Workers’ Party (PKK) against Turkish interests in the US.

The same person also forwarded a series of briefings on domestic US terrorism marked “For official use only” and a global counterterrorism assessment titled “Not eligible for release to the public or foreign governments”. Also included was a “sensitive” briefing on efforts by Iran’s Islamic Revolutionary Guards Corps to use Iranian students and the Telegram messaging app to spy on the US.
Gorman told the FT: “While it is not possible to implement technical controls to prevent the use of personal email accounts for government business, the department continues to provide direction and training to DoD personnel.”
About a dozen people mistakenly requested recovery passwords for intelligence community systems to be sent to Mali. Others sent the passwords needed to access documents hosted on the Defense Department’s Secure Access File Exchange. FT didn’t try to use the password.
Many of the emails are from private contractors working with the US military. Twenty regular updates from defense contractor General Dynamics related to the production of grenade training cartridges for the military.
Some of the emails contained passport numbers sent by the State Department’s Special Issuing Agency, a unit that issues documents to diplomats and others traveling on official business for the US.
The Dutch Army uses the domain army.nl, which is one keystroke away from army.ml. There are more than a dozen emails from serving Dutch personnel that include discussions with Italian counterparts about taking ammunition to Italy and detailed exchanges on Dutch Apache helicopter crews in the US.
Others included a discussion of future military procurement options and a complaint about the Dutch Apache unit’s possible vulnerability to cyberattacks.
The Dutch Defense Ministry did not respond to a request for comment.
Eight emails from the Australian Department of Defense, intended for US recipients, went astray. These included a presentation about corrosion problems affecting Australian F-35s and an artillery manual “carried by command post officers to each battery”.
The Australian Ministry of Defense said it “does not comment on security matters”.










