The FBI’s email systems were recently hacked to spread spam emails, imitating FBI alerts that the recipients’ networks had been infiltrated and data were stolen. The emails appeared to warn of a “sophisticated chain attack” and claimed that it is perpetrated by an advanced threat actor named Vinny Troia.
Vinny Troia is the chief of security research at two dark web intelligence firms – NightLion and Shadowbyte.
According to SpamHaus, a spam-tracking organization, thousands of these communications were distributed in two waves early this morning. They feel this is only a minor component of the campaign’s overall strategy. The Spamhaus Project researchers saw two waves of this campaign, one at 5 a.m. (UTC) and the other two hours later.
According to the FBI’s Law Enforcement Enterprise Portal (LEEP), the emails were sent using a valid FBI email account, eims@ic.fbi.gov, with the subject “Urgent: Threat actor in systems,” according to the FBI’s Law Enforcement Enterprise Portal (LEEP). As per Spamhaus, all emails came from the FBI’s IP address 153.31.119.142 (mx-east-ic.fbi.gov). The message gives the warning that a threat actor has been found in the receivers’ network and has stolen information from machines.
The receivers were scraped from the American Registry for Internet Numbers (ARIN) database, according to a tweet from the NGO today. While the emails appear to be a hoax, the message’s headers reveal that their origin is validated by the DomainKeys Identified Mail (DKIM) method, indicating that they are sent from FBI servers.
These FBI internal servers that handled the emails are also listed in the headers:
- dap00025.str0.eims.cjis
- dap00040.str0.eims.cjis
- wvadc-dmz-pmo003-fbi.enet.cjis
While their helpdesk is overwhelmed with inquiries from frightened admins, the FBI stated that the emails’ content is fraudulent and trying to resolve the situation. The FBI stated that they were unable to disclose any further information due to the continuing investigation. In another statement, the FBI said that the threat actor behind the spam campaign used a software setup to send out the emails.
The mails were sent from an FBI-managed server segregated from the agency’s corporate email and didn’t have access to any data or highly identifiable information on the FBI’s network. The LEEP portal allows anybody to apply for an account, according to technical information received by investigative journalist Brian Krebs from the person behind the initiative.
According to Krebs, candidates will get an email confirmation from eims@ic.fbi.gov with a one-time passcode as part of the procedure. This code and the applicant’s contact information were exposed in the HTML code of the web page. The actor might alter the settings with their email topic and body using a script, and the messages could be sent automatically.
Whoever is behind this act is most likely trying to undermine Vinny Troia, the founder of the dark web intelligence firm Shadowbyte, who is mentioned in the letter as the threat actor behind the bogus supply chain attack.
Troia has a long-standing rivalry with members of the RaidForums hacking group, and they frequently deface websites and do small hacks, blaming it on the security researcher. Vinny Troia alluded to someone identified as “pompomourin” as the likely perpetrator of the spam campaign when tweeting about it. According to Troia, the individual has previously been linked to acts intended to harm the security researcher’s reputation.