Last week thousands of emails began streaming in from the eims@ic.fbi.gov address, warning of fake cyber attacks and investigations. The messages contained a warning about a possible cyberattack and were sent to addresses on the American Registry for Internet Numbers (ARIN) database. The spam mails were sent by abusing insecure code in an FBI internet site designed to share information with state and local law enforcement officials, according to an interview with the person who claimed responsibility for the scam.
The fake emails were sent using the Law Enforcement Enterprise Portal system, which is used to connect with state and local officials, rather than the FBI's larger corporate email server, according to the FBI. According to Berglas, who is now the global head of professional services at cybersecurity firm BlueVoyant, the compromised system was an unclassified server used by FBI personnel to communicate outside of the organization, and the hackers didn't appear to have gained access to internal databases containing state secrets or classified information.
The incident, which was first reported by threat intelligence non-profit SpamHaus, involved sending rogue warning emails with the subject line “Urgent: Threat actor in systems” from a legitimate FBI email address “eims@ic.fbi.gov” framing the attack on Vinny Troia, a hacking forensic investigator and founder of dark web intelligence firms Night Lion Security and ShadowByte, while also claiming him to be affiliated with a hacking group called TheDarkOverlord. In 2017, the organization allegedly stole student records from numerous states in the United States, as well as season of Netflix series’. Last year, a British man was sentenced to five years in prison for his involvement in the hacking organization.
These fake mails appeared to have been sent from an actual FBI address, according to the FBI. The sign-off on these emails, which purportedly came from the Department of Homeland Security, was one of the telltale signs that they were fake. The FBI, on the other hand, is a branch of the Department of Justice. These fraudulent emails were sent from an FBI-operated server, which is typically used to send alerts to the Law Enforcement Enterprise Portal (LEEP). The FBI can collaborate with local and state agencies using this platform. The attack impacted hardware, but according to the FBI, it was "taken offline shortly upon discovery of the issue," and the software vulnerability that allowed the attack to take place has since been repaired. During the event, the bad actors did not have access to any data or personal information, according to the FBI.
Although the identity of the hacker has not been proven, Troia, who was wrongfully accused in the incident, has speculated that someone going by the name Pompompurin may be responsible. Even though internet scammers frequently send fake emails posing as official sources, it is extremely rare for a hacker to get access to a government server — and experts believe the incident underlines the weaknesses of email communications.
As part of a global espionage campaign, Russian government hackers hacked the Treasury and Commerce departments, as well as other U.S. government agencies, last year, while Chinese government hackers are suspected to have compromised dozens of U.S. government institutions. "It could have been a lot worse." Berglas added, "When you have ownership of a trusted dot-gov account like that, you can weaponize it and use it for pretty nefarious purposes. The FBI probably dodged a bullet."
For more information visit us on: www.nexixsecuritylabs.com
To schedule an audit you can contact us at: contact@nexixsecuritylabs.com
Your Security | Our Concern
Comments