FBI email server hacked to send fake cyber attack alerts

An attacker exploited the system misconfiguration to send legitimate-looking cyber security alerts to partners

The Federal Bureau of Investigation (FBI) confirmed on Saturday that a hacker exploited its systems to send fake emails to law enforcement partners alerting them to a supposed cyber attack.

The hacker exploited a misconfiguration in its Law Enforcement Enterprise Portal (LEEP) web app to send legitimate-looking alerts to partners warning them that they had suffered a cyber attack and that a threat actor was currently in their system.

Emails were sent to partners from an official FBI email account with an @ic.fbi.gov domain, the headers of which also appeared to be legitimate after being sanitised. 

The hacker falsely informed recipients they had fallen victim to a "sophisticated chain attack" attributed to Vinny Troia, a reputable security researcher and oft subject of memes in the cyber security industry.

Troia rejected his involvement in the attack shortly after its discovery.

The FBI confirmed the threat actor was unable to access or compromise any sensitive data held by the FBI, and said the server used to send the false emails was used only to push notifications for LEEP rather than being connected to the FBI's corporate email service.

"The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails," it said on Saturday. "LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners.

"While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks."

Researchers at Spamhaus drew attention to the early reports of fake emails on Saturday, saying the recipients were chosen indiscriminately and email addresses were scraped from an ARIN database.

ARIN is a regional internet registry responsible for the management and distribution of internet number resources such as internet protocol (IP) addresses and autonomous system numbers (ASNs).

The email sent to recipients appeared as follows:

A screenshot of the fake alert email sent to recipients via FBI hacker

Spamhaus

Spamhaus said its telemetry indicated two 'waves' of spam emails being sent, one just before 05:00 on Saturday and then another shortly after 07:00.

Security researchers reported having contacted the FBI at the time of the incident said the staff were "slammed" with calls from alarmed recipients trying to verify if the correspondence was legitimate or not.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

A hacker known by the alias Pompompurin claimed responsibility for the attack in an interview with security researcher Brian Krebs. They said they wanted to draw attention to the security vulnerability in the LEEP web app.

Pompompurin said LEEP allowed anyone to apply for an account, despite it being reserved only for law enforcement partners of the FBI. Account authentication was also run through a one-time passcode emailed to the applicant - a code which the FBI's website leaked in the HTML code of its web page.

When users requested a confirmation code, they were sent a POST request which included parameters for the email subject and body content. Pompompurin replaced the parameters with his own email subject and body to automate thousands of email sends.

Experts have suggested that the level access Popompurin was able to achieve was worrying and that a wider attack campaign could have bene launched to compromise law enforcement partners across the US.

"The hack could have enabled an attacker to disperse a phishing email campaign to all the FBI’s state and local law enforcement partners - one that was designed to compromise US-wide law enforcement," said Alan Calder, CEO at GRC International Group.

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021