On Saturday, November 13, 2021, it was discovered that hackers had broken into the FBI’s official email server.
The FBI and CISA are aware of the facts regarding the forged email sent from the @ic.fbi.gov email account this morning. This is an ongoing situation and we are unable to provide any additional information at this time.
The affected hardware was taken offline immediately after the discovery of the problem.
We continue to urge the public to be on the lookout for unknown senders and to report suspicious activity to ic3.gov or cisa.gov.
We used this hacked server to send out a spam email warning that someone is trying to steal data from our organization.
An unidentified group of hackers compromised one of the FBI’s email servers and sent out a large number of spam emails containing warnings about a (fake) cyber attack that allegedly occurred.
The email server used by the FBI for its public ticketing and alerting system was reportedly affected.
The FBI office was flooded with calls and emails from concerned organizations asking for additional information about the possible attack.
This email was clearly a fake threat alert, but it caused panic among some recipients because it had passed SPF and DKIM security checks. This meant that it was sent from a real FBI server and had passed all spam filters.
But in addition to a number of spelling mistakes that an organization like the FBI would never make in the body of a security alert, the message was an attempt to frame Vinny Troia, the founder of NightLion Security, for an “advanced chain of attacks”.
It seems that the hackers were trying to fool the organization into thinking that the FBI had discovered Trojan trying to steal data from their network.
The fake message is as follows
Our intelligence monitoring has revealed that multiple virtualization clusters have been compromised by an advanced chain attack. We have attempted to blackhole the transit node used by this advanced persistent threat actor, but we believe it is very likely that he will modify his attack using fast-flux techniques that proxy through multiple global accelerators.
The attacker turned out to be [REDACTED], who is believed to be associated with the extortionist organization TheDarkOverlord. This threat group is currently operating under the scrutiny of the NCCIC. We are relying on intelligence investigations and will not be able to physically interfere within the next four hours, which will be enough time to cause serious damage to your infrastructure.
FBI confirms hack, shuts down servers
The FBI said it is aware of the incident and is investigating and has shut down the compromised servers to stop the spam.
Since this mail server seems to have been used for some kind of automated mail sending system, the hackers say that they may have taken advantage of some vulnerability in the software running on the server to send these messages, but this is just a hypothesis based on currently available information. This is just a theory based on the information currently available.
In terms of the scale of this attack, the attackers appear to have used a database of public email addresses to send spam emails.
One possible source would be the ARIN (American Registry for Internet Numbers) database, which holds emails used to register web domains across North America. This database can be easily scraped and compiled by any threat group, but there are indications that other sources have been used as well.
Comments