The Federal Bureau of Investigation (FBI) of the United States on Saturday acknowledged that its external email system was compromised by hackers who sent out spam emails from a legitimate FBI email address to thousands of organizations warning of an impending cyberattack.
Reported first by Bleeping Computer, the fake email pretended to warn the victims of a “sophisticated chain attack” from an advanced threat actor known as Vinny Troia, who is the head of security research of the dark web intelligence companies NightLion and Shadowbyte.
“The FBI and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account. This is an ongoing situation, and we are not able to provide any additional information at this time. The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to ic3.gov or cisa.gov,” the FBI said in a statement on Saturday.
According to the Spamhaus Project, an Europe-based non-profit intelligence organisation that tracks digital threats, said that the emails were likely sent to over 100,000 email addresses in two waves early on Saturday morning.
The cybersecurity warnings came from a legitimate email address – [email protected] – which is from FBI’s Law Enforcement Enterprise Portal (LEEP), and carried the subject “Urgent: Threat actor in systems” that ended with a sign-off from the Department of Homeland Security (DHS).
All emails were sent out from FBI’s IP address 18.104.22.168 (mx-east-ic.fbi.gov) to email addresses scraped from a database for the American Registry for Internet Numbers (ARIN), Spamhaus told Bleeping Computer.
The FBI on Sunday said that no actor was able to access or compromise any data or impact its main computer network.
“While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks,” the FBI said in an updated statement on Sunday.
Alex Grosjean, senior threat analyst at Spamhaus, told CNN that whoever performed the scam did not attach any malicious link to the email, which means it was likely a prank meant to scare the recipients.
However, there is no doubt that the emails came from FBI-operated infrastructure as the headers of the message showed that its source was validated via the DomainKeys Identified Mail (DKIM) system that is used to prevent fake messages.
“These fake warning emails are apparently being sent to addresses scraped from ARIN database. They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please beware!,” Spamhaus tweeted.
It is unclear how the emails were sent to over 100,000 email addresses.