Tens of thousands of people received fake email alerts on Friday and Saturday purporting to come from the Federal Bureau of Investigation after hackers compromised an FBI-run online portal.
Hackers used a “software misconfiguration” to temporarily gain access to the Law Enforcement Enterprise Portal (LEEP) and send out an email blast from what appeared to be a legitimate FBI email address ending in @ic.fbi.gov, the FBI said in a press release. LEEP acts as a gateway for state and local law enforcement authorities to share intel and access resources as part of their investigations.
Once it identified the threat, the FBI took the impacted hardware offline, and the vulnerability was “quickly remediated,” according to the press release. Based on its investigation so far, it doesn’t appear that the hackers were able to access FBI files.
“While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service,” the FBI said in an updated statement on Sunday. “No actor was able to access or compromise any data or PII [personally identifiable information] on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
The phony messages warned recipients that they were at risk of a “sophisticated chain attack,” according to screenshots shared on Twitter by The Spamhaus Project, a nonprofit that tracks spam and other cyber threats. The emails name real-life cybersecurity expert Vinny Troia as the perpetrator behind the fake attacks and falsely claim that he is associated with the hacking group The Dark Overlord, the same bad actors that infamously leaked the fifth season of Orange Is the New Black. Troia’s company Night Lion Security, an IT security consulting firm known for investigating the dark web and other cybercrime marketplaces, published an investigative report about The Dark Overlord in January.
According to The Spamhaus Project’s research, the hackers pushed out email alerts to addresses scraped from the American Registry for Internet Numbers (ARIN) database. “Other, non-ARIN related harvested emails were included in the spam run” as well, the organization tweeted Saturday. In a statement to the Bleeping Computer, it said that the fake emails reached at least 100,000 inboxes, but that is likely a conservative estimate. Researchers believe “the campaign was potentially much, much larger,” The Spamhaus Project told the outlet.
Troia speculated on Twitter that an individual with the handle “@Pompompur_in” may be behind the hack. Speaking with the Bleeping Computer, he said this person has tried to defame him using similar tactics before. Most recently, they hacked into the website for the National Center for Missing and Exploited Children to publish a post accusing him of being a pedophile, he told the outlet.
Troia went on to say that Pompompurin messages him whenever they launch a new smear campaign. To wit, he tweeted a screenshot of a DM the user sent late Friday evening that simply reads “enjoy.” The next day, right around the same time news of the attack on the FBI’s portal began to spread, they messaged again to ask “did you enjoy” before expressing disgust that Troia had gained followers in the wake of the incident.
A report from security reporter Brian Krebs also pointed to Pompompurin as the likely culprit. According to Krebs, the individual sent him the following message from an FBI email address when the campaign began: “Hi its pompompurin. Check headers of this email it’s actually coming from FBI server. I am contacting you today because we located a botnet being hosted on your forehead, please take immediate action thanks.”
In a statement to Krebs on Security, Pompompurin later said the hack was intended to shine a light on glaring vulnerabilities in the FBI’s email systems. To push out emails from a legitimate FBI email address, they said they leveraged insecure code in the LEEP portal to hijack an email confirmation with a one-time passcode that gets sent out when you try to apply for an account, which, before this attack, anyone could do just by visiting the website.
This incident is the latest in a series of high-profile breaches of U.S. government networks in recent months. In May, President Joe Biden signed an executive order aimed at improving the nation’s cyber defenses in the wake of devastating cyberattacks, such as the sweeping SolarWinds hack and the ransomware campaign that crippled the Colonial Pipeline.