Hacker compromises FBI email and spams thousands

The email warned of a fake cyber campaign and pinned the blame on a specific security researcher

A hacker compromised an FBI email system on Saturday, sending spam emails to more than 100,000 people with a fake warning of a cyber attack.

The Spamhaus Project, a spam-tracking nonprofit, first spotted the mini campaign. The organization observed two waves of messages on Saturday, one at 5am GMT and the second about two hours later.

The emails claimed that Vinny Troia – a prominent cyber security researcher – was behind the (again, non-existent) cyber attack. They further stated that Troia was associated with hacking group The Dark Overlord, which leaked the fifth season of Orange Is the New Black.

Troia runs two dark web security firms, Shadowbyte and NightLion. NightLion published research on The Dark Overlord in January.

Spamhaus told BleepingComputer that the hacker scraped all of the email addresses used in the campaign from the American Registry for Internet Numbers (ARIN) database.

In an interview with KrebsOnSecurity, an individual who claimed responsibility for the hoax said the spam mails were sent by abusing insecure code in an FBI online portal. They said they performed the hack to highlight the glaring vulnerability in the FBI’s system.

“I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc,” the person said.

“And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”

The FBI has said it is aware of a software mis-configuration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails.

The FBI uses the LEEP system FBI to communicate with state and local officials.

The fake emails originated from an FBI-operated server, which was ‘dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service,’ the agency stated. The agency added that it took the affected hardware offline upon discovery of the issue.

‘Once we learned of the incident we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.’

No data or personal identifiable information was compromised or accessed.

The FBI routinely alerts American organisations of emerging cyber threats, or when they learn of malicious actors trying to exploit previously unknown security vulnerabilities to target the public or private sector.

The hack is thought to be the first known case of a hacker gaining access to one of FBI’s systems to send spam mail, but far from the first targeting the agency.

In 2019, it emerged that Russian intelligence services had compromised outdated radio systems the FBI used to track agents on US soil.

The hack reportedly started in around 2011, with US intelligence becoming aware of it in 2012.

But it wasn’t until the last days of the Obama administration that officials finally acted, swooping on two sprawling compounds where the Russian operation was being masterminded and expelling 36 Russian diplomats.

At the time, the administration claimed that the expulsions were in response to alleged Russian interference in the 2016 presidential elections.