Hackers enter the FBI email system to send out fake security warnings

Legitimate-looking emails with bizarre cybersecurity warnings from FBI servers got sent to people

Hackers accessed email servers to distribute the spam emails with fake cybersecurity warnings

The urgent warning about cyberattacks got distributed over the weekend. Hackers impersonating the FBI sent out warnings about the breach and data access from the recipients' network.^[1] Email messages warned about sophisticated chain attacks from the advanced threat actor that was identified as Vinny Troia.^[2] The warning references the cybersecurity writer Troia, and a threat group named The Dark Overlord. Vinny Troia has a company, Night Lion Security, that released a thorough investigation on this group back in January.

The incident was disclosed by the Threat intelligence non-profit SpamHaus.^[3] The spam campaign was noticed and discovered that vast amounts of such messages got delivered in two waves. It was believed that tens of thousands of those emails were only a small part of the initial spam campaign.

It is believed that the main goal of this fake cybersecurity warning campaign was not to affect the FBI but to discredit Vinny Troia. Researcher Marcus Hutchins^[4] state:

Vinny Troia wrote a book revealing information about hacking group TheDarkOverlord. Shortly after, someone began erasing ElasticSearch clusters leaving behind his name. Later his Twitter was hacked, then his website. Now a hacked FBI email server is sending this.

Software flaws allowed actors to leverage the LEEP system

The FBI released a statement about the incident saying that the email servers got accessed and the fake cybersecurity warnings got sent from their email addresses, but hackers couldn't access any information on the network. Emails were sent from the legitimate addresses ending with @ic.fbi.gov.

The issue led to agencies' devices up offline once the problem was discovered. Apparently, it was the problem related to software misconfiguration that allowed attackers to access the system. This Law Enforcement Enterprise Portal is used by the FBI to communicate with state or local law enforcement partners. According to the FBI, there was no access to personal information on the agency's network. The flaw was patched, and the integrity of the affected networks was confirmed.

The hacker not only got access to the LEEP but only managed to apply for the account and leaked one-time passwords that get sent to the applicant for registration confirmation. This information can enable threat actors to tamper with the HTTP requests.

Spam emails went to 100 000 people

According to various news reporters,^[5] the spam email message was received by at least 100,000 people. This is the estimate because it is believed that the campaign was much larger than this. This is the first such campaign where the law enforcement agencies get affected like that. Hackers have not aimed to use a legitimate system to send such emails to large groups of people.

These agencies, like the FBI and the Department of Homeland Security, send out warnings and alerts about cyber threats to companies. It is a routine activity. However, hackers made this warning a bizarre technicality-lacking message, not a legitimate-looking alert.^[6]

Hackers did a poor job in this campaign, but it is believed that scamming or exposing companies were not the goals of threat actors. Vinny Troia, who was mentioned in the particular email, was contacted before the spamming took place with a smile “enjoy”. This can be treated as a warning that the researcher should expect something to happen. The discrediting campaign was stopped, and partners of the FBI and companies receiving these emails were contacted.