The FBI’s email servers were hacked, which resulted in the threat actor sending emails, implying that the recipients’ networks were breached and data was stolen. The campaign was spotted by spam-tracking non-profit Spamhaus last Saturday.
Researchers over at Spamhaus observed two waves of such emails, the first one coming in at 5 AM UTC and the second around two hours later. The messages came from an FBI’s Law Enforcement Enterprise Portal (LEEP) carrying the subject “Urgent: Threat actor in systems.” The IP associated with the emails was the FBI’s as well.
The fake emails warned recipients about a sophisticated chain attack originating from a threat actor known as Vinny Troia, the head of security research for dark web intelligence companies NightLion and Shadowbyte.
Right email, wrong message
The emails originated from FBI’s email@example.com email with the IP 184.108.40.206, which refers to mx-east-ic.fbi.gov. In a tweet posted the same day as the discovery of the emails, the company said that these fake emails were sent to over 100,000 victims whose emails were scraped from the American Registry for Internet Numbers (ARIN) database.
However, the researchers believe that the campaign was potentially much larger, with the 100,000 number being a very conservative estimate. Furthermore, the email headers also verify that they did originate from FBI servers as verified by the DomainKeys Identified Mail (DKIM) mechanism and the following FBI internal servers that processed the emails.
The FBI has acknowledged the incident, labelling it an “ongoing situation” and taking the impacted hardware offline. In an update the following day, November 14, the bureau further reported that the threat actor exploited a software misconfiguration in LEEP that allowed them to send the fake emails.
The server that the emails originated from was dedicated to pushing notifications for LEEP and wasn’t a part of the FBI’s corporate email service. The FBI also maintains that there was no unauthorised access or compromise of any data or PII on the network.
However, the purpose of this email campaign seems to be an attempt to discredit Vinny Troia, who is named as the threat actor responsible for the supply-chain attack mentioned in the emails. Troia has had a long-standing feud with members of RaidForums, who often deface websites or perform similar attacks and then blame it on the researcher.
Troia himself hinted at someone named “pompomourin” in a tweet about the incident saying that the individual has attempted to damage his reputation using such attacks previously as well.