The FBI acknowledged the unauthorized access over the weekend revealing that spam emails were sent from the agency’s email server to thousands of organizations.
The Federal Bureau of Investigation (FBI) has categorically denied sending spam emails from its server, which according to reports, hit 100,000 inboxes on late Friday night and early Saturday.
The agency claims that the emails were sent from its email server, but an unauthorized individual sent them. On Saturday, the agency clarified that it was aware that spam emails were sent from a legit FBI email server to thousands of organizations.
About the Spam Emails
According to the analysis of researcher Alex Grosjean from the Europe-based non-profit Spamhaus Project, which examines digital threats, the emails having the subject line “Urgent: Threat actor in systems” started coming from an authentic FBI email server. These messages were sent to at least 100,000 inboxes.
We have been made aware of "scary" emails sent in the last few hours that purport to come from the FBI/DHS. While the emails are indeed being sent from infrastructure that is owned by the FBI/DHS (the LEEP portal), our research shows that these emails *are* fake.
— Spamhaus (@spamhaus) November 13, 2021
Hackread.com reviewed one of these spam emails supposedly sent from the FBI and identified that it was a warning message from the Department of Homeland Security informing the recipient that they were the target of a ‘sophisticated’ attack. However, no such warning was sent by the department or the DHS Cybersecurity and Infrastructure Security Agency (CISA).
Brian Krebs of Krebs On Security received an independent letter from the hacker and in his report, Krebs noted that the spam messages were sent by “abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities.”
Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators.
We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure.
U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group.
The agency released an official statement to address the confusion and categorically denied sending any fake emails, and they have already taken the impacted hardware offline. The official statement read:
“The FBI and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account. This is an ongoing situation, and we are not able to provide any additional information at this time. The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to ic3.gov or Cisa.gov.”
The FBI further noted that as soon as they identified the incident, they quickly ‘remediated the software vulnerability,’ along with warning partners to ignore the spam emails and ensured the ‘integrity of their networks.
What Was the Issue?
On Sunday, the FBI explained that someone took advantage of the software misconfiguration and sent emails to so many IDs. The attackers possibly used an IT system that the agency uses to communicate with local and federal law enforcement partners.
However, the agency confirmed that the incident didn’t impact its main computer network, adding that the attacker’s motives are yet unknown. The email messages were incoherent warnings in which references were made to Night Lion Security’s cybersecurity writer Vinny Troia and a cybercriminal gang called The Dark Overlord.
Furthermore, the FBI noted that the hacker had signed off as the DHS’s Cyber Threat Detection Analysis Group, which ceased to exist two years ago. According to Marcus Hutchins from Kryptos Logic, the motive seems to be discrediting Troia who wrote a book about the notorious hacking group.