Typo leaks millions of US military emails to Mali web operator

Millions of US military emails have been misdirected to Mali through a “typo leak” that has exposed highly sensitive information, including diplomatic documents, tax returns, passwords and the travel details of top officers.

Despite repeated warnings over a decade, a steady flow of email traffic continues to the .ML domain, the country identifier for Mali, as a result of people mistyping .MIL, the suffix to all US military email addresses, the Financial Times reports.

The problem was first identified almost a decade ago by Johannes Zuurbier, a Dutch internet entrepreneur who has a contract to manage Mali’s country domain.

Zuurbier has been collecting misdirected emails since January in an effort to persuade the US to take the issue seriously. He holds close to 117,000 misdirected messages — almost 1,000 arrived on Wednesday alone. In a letter he sent to the US in early July, Zuurbier wrote: “This risk is real and could be exploited by adversaries of the US.”

Control of the .ML domain will revert on Monday from Zuurbier to Mali’s government, which is closely allied with Russia. When Zuurbier’s 10-year management contract expires, Malian authorities will be able to gather the misdirected emails. The Malian government did not respond to requests for comment.

Zuurbier, managing director of Amsterdam-based Mali Dili, has approached US officials repeatedly, including through a defence attaché in Mali, a senior adviser to the US national cyber security service, and even White House officials.

Much of the email flow is spam and none is marked as classified. But some messages contain highly sensitive data on serving US military personnel, contractors and their families.

Their contents include X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records.

Lt. Cmdr Tim Gorman, a spokesman for the Pentagon, said the Department of Defense “is aware of this issue and takes all unauthorised disclosures of controlled national security information or controlled unclassified information seriously”.

He said that emails sent directly from the .mil domain to Malian addresses “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients”.

When Zuurbier — who has managed similar operations for Tokelau, the Central African Republic, Gabon and Equatorial Guinea — took on the Mali country code in 2013, he rapidly noticed requests for domains such as army.ml and navy.ml, which did not exist. Suspecting this was actually email, he set up a system to catch any such correspondence, which was rapidly overwhelmed and stopped collecting messages.

Zuurbier says that, after realising what was happening and taking legal advice, he made repeated attempts to alert the US authorities. He told the Financial Times that he gave his wife a copy of the legal advice “just in case the black helicopters landed in my backyard”.

His efforts to raise the alarm included joining a trade mission from the Netherlands in 2014 to enlist the help of Dutch diplomats. In 2015, he made a further effort to alert the US authorities, to no avail. Zuurbier began collecting misaddressed email once again this year in a final bid to alert the Pentagon.

The flow of data shows some systematic sources of leakage. Travel agents working for the military routinely misspell emails. Staff sending emails between their own accounts are also a problem.

One FBI agent with a naval role sought to forward six messages to their military email — and accidentally dispatched them to Mali. One included an urgent Turkish diplomatic letter to the US state department about possible operations by the militant Kurdistan Workers’ party (PKK) against Turkish interests in the US.

The same person also forwarded a series of briefings on domestic US terrorism marked “For Official Use Only” and a global counter-terrorism assessment headlined “Not Releasable to the Public or Foreign Governments”.
A “sensitive” briefing on efforts by Iran’s Islamic Revolutionary Guards Corps to use Iranian students and the Telegram messaging app to conduct espionage in the US was also included.

Around a dozen people mistakenly requested recovery passwords for an intelligence community system to be sent to Mali. Others sent the passwords needed to access documents hosted on the Department of Defence’s secure access file exchange. The FT did not attempt to use the passwords.

Many emails are from private contractors working with the US military. Twenty routine updates from defence contractor General Dynamics related to the production of grenade training cartridges to the army.

Eight emails from the Australian Department of Defence, intended for US recipients, went astray. Those included a presentation about corrosion problems affecting Australian F-35s and an artillery manual “carried by command post officers for each battery”.

The Australian defence ministry said it does “not comment on security matters”.