Over the weekend, a hacker infiltrated the Federal Bureau of Investigation's email server and more than 100,000 spam emails were sent from an official FBI email address: firstname.lastname@example.org.
Oddly enough, the fake email's subject line read "Urgent: Threat actor in systems."
What information the phony email contained, however, reads like the plotline of an undercover hacking film script with rumors Nicholas Cage could be in the starring role.
Upon further investigation of the technical details, it shows a vulnerability in the FBI's Law Enforcement Enterprise Portal (LEEP) may have opened an opportunity for the hacker to send the emails about a hoax cyberattack.
Hacker sends out spam messages from FBI email address
The Spamhaus Project, an international organization that brings awareness to spam emails, shared this tweet, which included an image of the phony email.
In the email, which had grammatical errors and signs off from the U.S. Department of Homeland Security's Network Analysis Group without a contact, it suggests Vinny Troia, a well-known cybersecurity evangelist and white hat hacker for Night Lion Security, is responsible for a dangerous cyberattack that could threaten the email recipient's networks.
Here is a transcript of the email:
"Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attacks with fastflux technologies, which he proxies trough multiple global accelerators.
We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDark0verLord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure. Stay safe."
The domain from which the email was sent appears to be connected to the FBI's Criminal Justice Information Systems (CJIS).
In an article by Krebs on Security, technical details of the cyber incident are explored and sources surmise the attack was done to reveal this glaring vulnerability in the FBI's website.
"Needless to say, this [vulnerability] is a horrible thing to be seeing on any website. I've seen it a few times before, but never on a government website, let alone one managed by the FBI," Pompompurin, the alleged hacker, said.
One Twitter user mused about the possibility of this incident being one big "gotcha" moment for the FBI.
Hacking an FBI app or server and sending out prank emails as the Bureau...— Brian in Pittsburgh (@arekfurt) November 14, 2021
Like calling prison and making reservations.
According to U.S. law, hackers who are convicted of committing fraud or breaking into a network without authorization could face prison time, be ordered to pay fines, or some combination of the two.
Further, the email was sent out in the wee hours of the morning, which could have been troubling for on-call security staff, as Kevin Beaumont, Head of Security Operations Centre for Arcadia Group, suggested.
If anybody is wondering how companies managed to think the email was real, it went out in the early hours of the morning.— Kevin Beaumont (@GossiTheDog) November 13, 2021
Your CISO and leadership team aren't online. Incident response kicks in, RIP those on call getting the call about FBI attack notification at 2am. pic.twitter.com/0BeJClciox
Vinny Troia blogs about alleged culprit
In a truly bizarre twist, the alleged hacker Pompompurin has been trolling Troia online, leading many to believe the hacking incident was a personal attack.
On Nov. 16, Troia wrote a blog for Shadowbyte, which claims the identity of Pompompurin is actually Christopher Meunier, a 22-year-old Canadian hacker known for his work with WhitePacket Security.
Troia claims Menuier is connected to the hacking group Money Team that operates data leak website og.money.
"Until now, for reasons unknown to me, the FBI has (apparently) been unable to extradite Meunier. The cyber laws in Canada are very different, and Chris is somehow protected in his perch in Calgary. Perhaps now that the FBI has been victimized and publicly embarrassed by this incident they will have the motivation and urgency to finally take him down," wrote Troia.
It is worth noting much of the language and references used in the Twitter feud and blog are certainly not safe for work.
FBI responds to email hacking incident
In a statement released by the FBI on Sunday, its network was not compromised.
"The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners.
While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI's corporate email service. No actor was able to access or compromise any data or PII on the FBI's network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks."
At this time, an investigation is ongoing.
The SecureWorld News team will continue to provide updates as the story continues to unfold.
UPDATE: This post was updated on Nov. 16 to include details of Vinny Troia's blog claiming Christopher Meunier, a 22-year-old hacker from Canada, who operates WhitePacket Security.
Register to attend one of SecureWorld's upcoming virtual conferences to learn more about cybersecurity topics related to this story.
Vinny Troia was featured on The SecureWorld Sessions podcast, discussing his research into The Dark Overlord. Listen below.