Hackers targeted the Federal Bureau of Investigation’s (FBI) email servers, sending out thousands of phony messages that say its recipients have become the victims of a “sophisticated chain attack,” first reported by Bleeping Computer. The emails were initially uncovered by The Spamhaus Project, a nonprofit organization that investigates email spammers.
The emails claim that Vinny Troia was behind the fake attacks and also falsely state that Troia is associated with the infamous hacking group, The Dark Overlord — the same bad actors who leaked the fifth season of Orange Is the New Black. In reality, Troia is a prominent cybersecurity researcher who runs two dark web security companies, NightLion and Shadowbyte.
As noted by Bleeping Computer, the hackers managed to send out emails to over 100,000 addresses, all of which were scraped from the American Registry for Internet Numbers (ARIN) database. A report by Bloomberg says that hackers used the FBI’s public-facing email system, making the emails seem all the more legitimate. Cybersecurity researcher Kevin Beaumont also attests to the email’s legitimate appearance, stating that the headers are authenticated as coming from FBI servers using the Domain Keys Identified Mail (DKIM) process that’s part of the system Gmail uses to stick brand logos on verified corporate emails.
The email was sent from these FBI internal servers, per the headers (which validate with DKIM).
dap00025.str0.eims.cjis – 10.67.35.50
wvadc-dmz-pmo003-fbi.enet.cjis
dap00040.str0.eims.cjis – 10.66.2.72
Before anybody runs off the Russia cliff, I would check webapps.
— Kevin Beaumont (@GossiTheDog) November 13, 2021
The FBI responded to the incident in a press release, noting that it’s an “ongoing situation” and that “the impacted hardware was taken offline.” Aside from that, the FBI says it doesn’t have any more information it can share at this time.
According to Bleeping Computer, the spam campaign was likely carried out as an attempt to defame Troia. In a tweet, Troia speculates that an individual who goes by the name “Pompompurin” may have launched the attack. As Bleeping Computer notes, that same person has allegedly tried damaging Troia’s reputation in similar ways in the past.
A report by computer security reporter Brian Krebs also connects Pompompurin to the incident — the individual allegedly messaged him from an FBI email address when the attacks were launched, stating, “Hi its pompompurin. Check headers of this email it’s actually coming from FBI server.” KrebsOnSecurity even got a chance to speak with Pompompurin, who claims that the hack was meant to highlight the security vulnerabilities within the FBI’s email systems.
“I could’ve 1000 percent used this to send more legit looking emails, trick companies into handing over data etc.,” Pompompurin said in a statement to KrebsOnSecurity. The individual also told the outlet that they exploited a security gap on the FBI’s Law Enforcement Enterprise (LEEP) portal and managed to sign up for an account using a one-time password embedded in the page’s HTML. From there, Pompompurin claims they were able to manipulate the sender’s address and email body, executing the massive spam campaign.
With that kind of access, the attack could’ve been much worse than a false alert that put system administrators on high alert. Earlier this month, President Joe Biden mandated a bug fix that calls for civilian federal agencies to patch any known threats. In May, Biden signed an executive order that aims to improve the nation’s cyber defenses in the wake of detrimental attacks on the Colonial Pipeline and SolarWinds.