The FBI is usually a key source that tries to help people combat cyberattacks and security threats. But in an unusual twist, the law enforcement agency has found itself the victim of an exploit.
SEE: Security incident response policy (TechRepublic Premium)
On Saturday, spam tracker Spamhaus tweeted that it had learned of “scary” emails being sent purportedly from the FBI and Department of Homeland Security (DHS). One such email warned the recipient that they were hit by a sophisticated chain attack, potentially causing severe damage to their infrastructure. Though the emails were sent from a portal owned by the FBI and DHS, Spamhaus said that the messages themselves were fake.
Based on an investigation by Spamhaus, the phony warning emails were sent to addresses taken from the database of the American Registry for Internet Numbers (ARIN), a nonprofit organization that manages IP addresses and resources. Spamhaus said that the emails were causing a lot of disruption because the message headers were real, meaning they came from the FBI’s own infrastructure, though they had no names or contact details.
In its own message released on Saturday, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said they were aware of the incident with fake emails sent from an ic.fbi.gov email address and reported that the affected hardware had been taken offline.
In a follow-up message sent out on Sunday, the agency said that a software misconfiguration temporarily let someone access the Law Enforcement Enterprise Portal (LEEP) to send phony emails. The FBI uses the LEEP site to communicate with state and local law enforcement officials.
“While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service,” the agency said. “No actor was able to access or compromise any data or PII [personally identifiable information] on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
Often, the identity of the actual culprit behind this type of attack remains a mystery. But in this case, the hacker seemed all too happy to reveal themselves. In an email sent to KrebsOnSecurity author Brian Krebs, a hacker named pompompurin took responsibility for the incident.
In an interview with KrebsOnSecurity, pompompurin said that the hack was done to highlight a glaring vulnerability in the FBI’s system. This person told Krebs that their illicit access to the FBI’s email system started with an exploration of LEEP. Before this incident, LEEP would let anyone apply for an account to communicate with the FBI. As part of the registration process, the LEEP site sends out an email confirmation with a one-time passcode.
Pompompurin said that the FBI’s own site leaked that passcode in its HTML code. Armed with that passcode, the hacker said that they sent themselves an email from a specific FBI address. From there, they used a script to replace the initial email with a different subject line and message and then sent an automated hoax message to thousands of addresses derived from the ARIN database.
“I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc.,” pompompurin told Krebs. “And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”
The sample email posted by Spamhaus on Twitter not only tried to strike fear among its recipients but also attempted to discredit an individual named Vinny Troia, a cybersecurity expert and founder of darkweb intelligence firm Shadowbyte.
“Responsibility for the attack has allegedly been claimed by a black hat hacker known on Twitter under handle, @pompompur_in, who is a known associate of the ShinyHunters hacker group,” said Chris Morgan, senior cyber threat intelligence analyst at security firm Digital Shadows. “Pompompurin is highly active on cybercriminal forum RaidForums, where the user has continually targeted security researcher Vinny Troia since early 2021.”
Why compromise an FBI service other than to make the agency look foolish?
“There were several likely motivations: highlighting a security vulnerability, pranking Vinny Troia by falsely attributing them in the fake email, and taking an opportunity to troll the FBI’s security,” Morgan said. “Many companies would have been rushed into incident response during the early periods of Monday morning, so it appears the actor responsible for the emails will have achieved their goal of creating mischief.”
This attack shows that even emails sent from legitimate sources aren’t necessarily to be trusted.
“The latest security incident resulting from fake emails being sent from the Law Enforcement Enterprise Portal (LEEP) is a reminder that cybercriminals will look for techniques to deliver malicious content under the disguise of legitimate services,” said Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify. “This time, coming from a legitimate FBI email address. It’s always important to verify everything, even if it is coming from a legitimate source. Remember, Zero Trust is also about having Zero Assumptions.”
The incident also shows that even an organization like the FBI can make mistakes when it comes to securing their own systems and assets. One slip-up cited by Paul Laudanski, head of threat intelligence at Tessian Research, was the way the agency allowed all of its owned IP addresses to send email on its behalf.
“Analyzing publicly available DNS records, Tessian Research found that the Sender Policy Framework (SPF) record—which helps identify the mail servers that can send emails from any given domain—for the fbi.gov domain allows for all 65,000+ IP addresses that the FBI owns to legitimately send emails on its behalf,” Laudanski said.
“This means that had the FBI’s SPF records been more restricted, the compromised machine would probably have been observed as an SPF Fail, instead of an SPF Pass for receiving organizations that make use of this,” Laudanski added. Any organization that is not an email provider should restrict its allowed senders list, but for now, this is academic because of the huge list of IP addresses that the FBI permits to send emails on its behalf.”
And for organizations that receive alerts from the FBI and other trusted agencies, how can they discern a phony email from the real thing?
“Legitimate cybersecurity alerts from the FBI typically list indicators of compromise, discuss TTPs and provide tips for organizations to protect themselves,” Laudanski said. “These fake alerts sent to 100,000 users did not follow any of those standards, and also contained spelling mistakes, which is often a tell-tale sign of a scam email.”