Hackers have compromised an online portal run by the U.S Federal Bureau of Investigation over the weekend and sent thousands of fake email alerts warning of a “sophisticated chain attack”.
The spam emails appear to have come from a legitimate FBI email address ending in @ic.fbi.gov. The email pretended to warn of “sophisticated chain attack” launched by an advanced persistent threat actor identified as Vinni Troya. In fact, Vinni Troya is a security researcher and founder of dark web intelligence firms Night Lion Security and Shadowbyte.
“Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure. Stay safe, U.S. Department of Homeland Security, Cyber Threat Detection and Analysis, Network Analysis Group,” the fake alert reads.
According to threat intelligence non-profit SpamHaus, which first reported the incident, the attack came in two waves, one at 5 AM (UTC) and another one shortly after 7:00 AM UTC. SpamHaus said the hackers sent emails to addresses scraped from the American Registry for Internet Numbers (ARIN) database.
"Other, non-ARIN related harvested emails were included in the spam run" as well, the organization said on Twitter. In a statement to Bleeping Computer SpamHaus said that fake alerts reached at least 100,000 inboxes, but the number could much higher, as the researchers believe that “the campaign was potentially much, much larger.”
Kryptos Logic researcher Marcus Hutchins believes that the goal of the attackers appears to be to discredit Troia. "Vinny Troia wrote a book revealing information about hacking group TheDarkOverlord. Shortly after, someone began erasing ElasticSearch clusters leaving behind his name. Later his Twitter was hacked, then his website. Now a hacked FBI email server is sending this," Hutchins said in a tweet.
The FBI has confirmed the incident.
“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network,” the FBI said in a statement on Sunday, adding that the agency “quickly remediated the software vulnerability” and warned its partners about fake alerts.