.mil and .ml: The US does not distinguish between security domains and forwards its emails to Mali

Over the past 10 years, millions of U.S. military emails have ended up in mailboxes in Mali, a well-known ally of Russia, not because of a leak, but because of a typo: They were sent to the West African country’s .ml suffix, not the U.S. military’s .mil.

The breach exposed sensitive information including diplomatic documents, tax returns, passwords and travel records of senior Pentagon officials, medical records, identification documents, military base personnel lists, photos of military bases, ship crew lists, tax documents and more. The Financial Times revealed this following a report by Dutch businessman Johannes Zurbier, who is responsible for managing the Mali domain.

When ZUURBIER It started noticing requests for non-existent domains like army.ml and navy.ml and created a system to catch these false emails. But unfortunately, due to the high flow of e-mails, the system “quickly became overloaded and stopped collecting messages.”

Since January 2023 alone, Zuurbier has intercepted 117,000 malicious emails, many of which contained sensitive information related to the US military. Some were sent by military personnel, travel agents working with the military, US intelligence and private contractors. For example: An email from January contains an itinerary for US Army Chief of Staff General James McConville’s visit to Indonesia. Attached are “Complete List of Room Numbers” and “Details of McConville’s Room Key Collection at Grand Hyatt Jakarta”.

Zuurbier cannot intercept these communications for long: his contract with Mali expires on Monday and officials will have access to emails.
Tim Corman, a spokesman for the Office of the Secretary of Defense, issued a statement: “The Department of Defense is aware of this issue and takes all unauthorized disclosures of national security information seriously.” In a successful email statement to The Verge news portal, Gorman said the email sent to Mali from the .mil domain was “blocked” and the sender should “verify recipient email addresses” before sending any further.

Gorman That’s not enough to prevent other government agencies or those working with the U.S. government from accidentally sending emails to Mali, but he acknowledged that “the department will continue to train defense personnel.”