The FBI reported threat actors taking over FBI email system to send thousands of false messages about a “sophisticated chain attack.”
Threat intelligence non-profit SpamHaus released information about the attack first. The attack entailed sending false warning emails with the subject line “Urgent: Threat actor in systems”. The attack emerged from a legitimate FBI email address “email@example.com[.]gov” and devised the attack on Vinny Troia, a security researcher and founder of dark web intelligence firms Night Lion Security and Shadowbyte, while also claiming him to be affiliated with a hacking outfit named TheDarkOverlord.
SpamHaus relied on its telemetry data to map the timing of the attacks, which happened in two waves. One was shone just before 5:00 a.m. UTC and another one just after 7:00 a.m. UTC.
However, according to Kryptos Logic researcher Marcus Hutchins, the goal appears to be to discredit Troia. “Vinny Troia wrote a book revealing information about hacking group TheDarkOverlord. Shortly after, someone began erasing ElasticSearch clusters leaving behind his name. Later his Twitter was hacked, then his website. Now a hacked FBI email system is sending this,” Hutchins tweeted.
A hacker group identified online as Pompompurin said that the attack was because of a flaw in the FBI’s Law Enforcement Enterprise Portal (LEEP). The flaw allowed two things:
- Anyone could apply for the account
- Leaked the OTP sent to the applicant as part of the account registration
Consequently, it facilitated the attack by allowing the hackers to intercept and fiddle with the HTTP requests. The hackers could replace the original message with their false one.
The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails,” the agency said in a statement. “While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network.”
“Should I be flattered that the kids who hacked the FBI email servers decided to do it in my name?,” Troia later tweeted, while also hinting at Pompompurin being the mastermind of the smear campaign. Earlier in the day, those in charge of the Pompompurin Twitter account said: “I am not involved in any illegal activities. Please note that this account is also operated by [Vinny Troia].”