The West African country of Mali has been receiving thousands of U.S. Military emails misdirected via a chronic typo involving the two’s top level domains.
A top level domain is the final portion of an email or a website address, i.e. .com, .net. .org. For the United States Military, all of its Internet domains end in .MIL, similar to how U.S. government websites end in .GOV.
Mali ends in .ML, and according to Johannes Zuurbier, described as a “Dutch internet entrepreneur who has a contract to manage Mali’s country domain” in a July 16 Financial Times article.
July 19 reporting by France’s Le Monde explains that Mali’s top level domain “has been technically managed for 10 years by the private Dutch company Mali Dili,” which Zuurbier owns.
Zuurbier “holds close to 117,000 misdirected messages — almost 1,000 arrived on Wednesday alone,” FT states, noting the man has collected them only since January.
You are now signed up for our newsletter
Check your email to complete sign up
The man “has approached US officials repeatedly, including through a defence attaché in Mali, a senior adviser to the US national cyber security service, and even White House officials,” FT also stated.
The article explained that when Mali Dili began conducting services under its contract in 2013, it noticed email traffic to the domains “army.ml” and “navy.ml,” which did not exist.
“Suspecting this was actually email, he set up a system to catch any such correspondence, which was rapidly overwhelmed and stopped collecting messages,” FT stated.
Although when Zuurbier began to view the influx of sensitive emails, he sought legal advice and reported his findings to American authorities, again capturing emails this year for the stated purpose of a further set of reporting before his contract ended, the Mali government does not share the same obligation.
FT said that the government of Mali did not respond to requests for comment on the issue.
Yet Zuurbier and his companies have a curious history, Le Monde reported, “In March 2022, several companies he ran, including Mali Dili, were sued for ‘cybersquatting’ – i.e. domain name usurpation, by Instagram, WhatsApp and Facebook’s parent company, Meta.”
“According to the court document consulted by Le Monde, several companies run by Zuurbier, along with a certain Marcel Trik, ‘formed a complex network of shell companies’ that ‘registered, tampered with and used over 5,000 domain names identical or similar to the trademarks registered’ by Meta.”
Emails shared by Zuurbier with FT showed how serious this form of user error could be.
“One misdirected email included the travel itinerary of General James McConville, the US army’s chief of staff, and his delegation as they prepared for a trip to Indonesia earlier this year,” a caption to a photo collage of a travel itinerary for May at an undisclosed Grand Hyatt hotel stated.
The article added, “The email included a full list of room numbers, the itinerary for McConville and 20 others, as well as details of the collection of McConville’s room key at the Grand Hyatt Jakarta, where he received a VIP upgrade to a grand suite.”
Pentagon spokesperson Lieutenant Commander Tim Gorman told FT that when emails are erroneously sent to the .ml domain, they “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients.”
But solving the problem isn’t so simple in some cases, the article states, noting that when one “FBI agent with a naval role” tried to forward a set of six emails to his military address, sending them to .ml instead of .mil, no such safeguard was in place.
“One included an urgent Turkish diplomatic letter to the US state department about possible operations by the militant Kurdistan Workers’ party (PKK) against Turkish interests in the US,” FT wrote.
In response to the loophole, Gorman only stated, “While it is not possible to implement technical controls preventing the use of personal email accounts for government business, the department continues to provide direction and training to DoD personnel.”
Another spokesperson for the Pentagon, Sabrina Singh, told a press conference, “None of the leaked emails that were reported came from a DOD email address,” Le Monde reported.
Yet, some security breaches were even more serious: “About a dozen people mistakenly requested recovery passwords for an intelligence community system to be sent to Mali. Others sent the passwords needed to access documents hosted on the Department of Defence’s secure access file exchange.”
And the typo isn’t strictly linked to Mali, the article noted.
“The Dutch army uses the domain army.nl, a keystroke away from army.ml. There are more than a dozen emails from serving Dutch personnel that included discussions with Italian counterparts about an ammunition pick-up in Italy and detailed exchanges on Dutch Apache helicopters crews in the US.”
Australia also allegedly sent communiques intended for the American military to Mali, FT stated, “Eight emails from the Australian Department of Defence, intended for US recipients, went astray. Those included a presentation about corrosion problems affecting Australian F-35s and an artillery manual ‘carried by command post officers for each battery’.”