UK govt sent military emails to Russian ally Mali meant for Pentagon due to a typo

Following a typographical error, British authorities have launched an investigation into an incident where emails originally intended for U.S. military intelligence were erroneously sent to the government in Mali, a country known to be an ally of Russia.

According to the Times report on Thursday, the UK Ministry of Defense officials had intended to send these emails to the Pentagon. However, due to the mix-up, the messages ended up being directed to Mali’s government. The error occurred because of the similarity in domain names, with the Pentagon’s domain being “.mil,” and Mali’s domain being “.ml.”

Ministry of Defence officials accidentally sent emails containing classified information to Mali, an African country with close links to the Kremlin, because of a typing error https://t.co/13jfaYvg9X

— The Times and The Sunday Times (@thetimes) July 28, 2023

Reuters reported that a spokesperson for the ministry stated that an investigation has been launched in response to a small number of emails that were mistakenly forwarded to an incorrect email domain.

As per the Times, while most of the emails sent to Mali were harmless and included information such as the holiday dates of foreign ministry employees, there were some emails that contained “detailed descriptions” of British research concerning hypersonic missiles.

The Ministry of Defense, however, refuted the claims made by the Times, asserting that they were misleading. They clarified that only a limited number of routine emails, fewer than 20, were mistakenly sent to the wrong domain. They are confident that there was no breach of operational security or disclosure of sensitive technical data. The ministry confirmed that the investigation is ongoing and emphasized that these types of emails are not classified at the level of “secret” or higher.

The ministry posted on Twitter, “This report misleadingly claims state secrets were sent to Mali’s email domain. We assess fewer than 20 routine emails were sent to an incorrect domain & are confident there was no breach of operational security or disclosure of technical data. An investigation is ongoing. Emails of this kind are not classified at secret or above.”

(1/2) This report misleadingly claims state secrets were sent to Mali’s email domain. We assess fewer than 20 routine emails were sent to an incorrect domain & are confident there was no breach of operational security or disclosure of technical data. https://t.co/frvgl3PE8C

— Ministry of Defence 🇬🇧 (@DefenceHQ) July 28, 2023

A spokesperson of the ministry said that “all sensitive information is shared on systems designed to minimise the risk of misdirection.”

As reported by Reuters, the spokesperson emphasized that all sensitive information is shared through systems specifically designed to minimize the risk of misdirection.”The MOD regularly evaluates its procedures and is presently engaged in a program to enhance information management, prevent data loss, and exercise better control over sensitive information,” they stated.

Mali is receiving millions of emails meant for Pentagon over years, revealed domain admin

Notably, the UK defence ministry is not the only or first to send emails meant for Pentagon to Mali by mistake due to the similar domains. As per a Financial Times report last week, millions of emails meant for the Pentagon have been sent to Mali as a result of the same typo. Some of these emails included sensitive information, such as diplomatic documents, tax returns, passwords and officers’ travel details, the report states.

“Despite repeated warnings over a decade, a steady flow of email traffic continues to the .ML domain, the country identifier for Mali, as a result of people mistyping .MIL, the suffix to all US military email addresses,” the report by FT said. It states that the problem was first identified almost a decade ago by Johannes Zuurbier, a Dutch internet entrepreneur who has a contract to manage Mali’s country domain.

Johannes Zuurbier has started compiling emails mistakenly sent to Mali to convince the Pentagon to take the payer seriously, and have collected around 1,17,000 mails since January this year. In a letter he sent to the US in early this month, Zuurbier wrote: “This risk is real and could be exploited by adversaries of the US.”

He added that after realising what was happening and attempting to alert the US authorities, he gave his wife a copy of a legal advice he received “just in case the black helicopters landed in my backyard”.

The problem becomes more serious as from Monday, the control of the .ML domain went to the Mali govt from Johannes Zuurbier, as the 10-year management contact has expired. This means the Malian government, a close ally with Russia, will be able to access those emails meant for US military.

While most of the misdirected emails are spam and generic emails and none of them are marked classified, some contain sensitive information on serving US military personnel, contractors and their families. This include X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records, the FT report stated.

One such major misdirected email contained travel plans for or General James McConville, the chief of staff of the US army, and his delegation, ahead of their Indonesia visit in May. The mail included full list of room numbers, the itinerary of the visit, along detail of location of hotel room keys.