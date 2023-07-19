



Millions of US military emails were misrouted to Mali by a typo leak that revealed highly sensitive information, including diplomatic documents, tax returns, passwords and senior officers’ travel details.

Despite repeated warnings for a decade, a steady stream of email traffic continues to the .ML domain, the country identifier for Mali, due to the mistyping of .MIL, the suffix for all US military email addresses.

The problem was first identified nearly a decade ago by Johannes Zuurbier, a Dutch internet entrepreneur who has a contract to manage Mali’s national domain.

Zuurbier has been collecting misdirected emails since January in an effort to persuade the United States to take the issue seriously. It holds nearly 117,000 misdirected messages, nearly 1,000 of which arrived on Wednesday alone. In a letter he sent to the United States in early July, Zuurbier wrote: This risk is real and could be exploited by adversaries of the United States.

Control of the .ML domain will revert Monday from Zuurbier to the Malian government, which is closely allied with Russia. When the Zuurbiers’ 10-year management contract expires, Malian authorities will be able to retrieve misdirected emails. The Malian government did not respond to requests for comment.

Zuurbier, managing director of Amsterdam-based Mali Dili, has repeatedly approached US officials, including through a defense attaché in Mali, a senior adviser to the US National Cyber ​​Security Service and even White House officials.

Much of the email flow is spam and none are marked as classified. But some messages contain highly sensitive data about serving US military personnel, contractors and their families.

Their contents include x-rays and medical data, identity document information, crew lists for ships, personnel lists at bases, maps of facilities, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations of bullying, official travel itineraries, reservations, and tax and financial records.

Mike Rogers, a retired US admiral who ran the National Security Agency and US Army Cyber ​​Command, said: If you have that kind of continuous access, you can generate intelligence even from unclassified information.

This is not uncommon, he added. It’s not out of the norm for people to make mistakes, but the question is the extent, duration and sensitivity of the information.

A misdirected email this year included travel plans for US Army Chief of Staff General James McConville and his delegation for an upcoming visit to Indonesia in May.

The email included a full list of room numbers, directions to McConville and 20 others, and details of McConville’s room key collection at the Grand Hyatt Jakarta, where he received a VIP upgrade to a large suite.

Rogers warned that transferring control to Mali posed a significant problem. It’s one thing when you’re dealing with a domain administrator who tries, even unsuccessfully, to express concern, Rogers said. It’s another thing when it’s a foreign government that… sees it as an advantage that they can use.

Pentagon spokesman Lt. Commander Tim Gorman said the Department of Defense is aware of this issue and takes all unauthorized disclosures of controlled national security information or controlled unclassified information seriously.

He said emails sent directly from the .mil domain to Malian addresses are blocked before they leave the .mil domain and the sender is told to validate the email addresses of the intended recipients.

