Hackers Compromise FBI Email Server
On November 13, the Federal Bureau of Investigation (FBI) became aware of a security incident compromising one of their email servers. An unknown perpetrator managed to hijack the server and send out tens of thousands of fake emails. Researchers at the Spamhaus Project, an international nonprofit organization that tracks spam and related cyber threats, detected two waves of spam emails, one shortly before 5 am UTC and another shortly after 7 am UTC. In total, the hackers bombarded at least 100,000 mailboxes. “These fake warning emails are apparently being sent to addresses scraped from ARIN database”, tweeted Spamhaus on Saturday. “They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please beware!” Other, non-ARIN-related emails were also included.
Bizarre Spam Campaign
The hackers were able to send the messages from the legitimate email address eims@ic.fbi.gov. All emails came from the same IP address. Bizarrely, the email itself only contained plain text and no phishing links. The message only warned people about a (fake) cyberattack. In the subject line, they wrote “Urgent: Threat actor in systems”. “Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however, there is a huge chance he will modify his attack with fastflux technologies”, read the strange message. The hackers then went on to falsely accuse security expert and keynote speaker Vinny Troia of the attack. They claim Troia is part of TheDarkOverlord extortion gang, also known as TDO. This gang has stolen data from a range of high-profile organizations and usually demands huge ransoms for its return. Group members of TDO feature in Vinny Troia’s non-fiction book “Hunting Cyber Criminals”.
Software Misconfiguration at Fault
In a statement published over the weekend, the FBI confirmed that “a software misconfiguration temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails”. The FBI uses LEEP to communicate with state and local law enforcement partners. The server is operated by the FBI but only pushes notifications for LEEP. It is not part of the FBI’s corporate email service. Moreover, the hackers have not compromised any data on the FBI’s network. “Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks”, said the FBI in a statement. “We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to ic3.gov or cisa.gov.”