On Saturday November 13th, hundreds of thousands of recipients received an email from the FBI with the subject line of “Urgent: Threat actor in systems.” Thankfully for the recipients, it turned out the threat described in these emails wasn’t real as, unfortunately, the FBI had suffered an external email breach resulting in fake warning messages being sent out.
However, the hack still raised questions over how the FBI was breached in the first place – plus concerns about how the situation could have been far worse if the emails had contained a malicious payload. We’ll run through how the hack happened and why this case highlights the need for advanced protection from email phishing.
What happened?
A software loophole was exploited, allowing the hacker to gain access to the FBI’s Law Enforcement Enterprise Portal (LEEP). From there, they were able to send out the fake warning emails to over 100,000 email addresses that had been scraped from the American Registry for Internet Numbers (ARIN) database. To a recipient, the emails would have appeared legitimate as they were sent from the FBI’s public facing email system.
The emails were addressed from the Department of Homeland Security and stated that that its recipients had been the targets of a ‘sophisticated chain attack’. They claimed that a person named as Vinny Troia was behind the attacks – and that he was part of an extortion group known as the Dark Overlord. Although in reality, Troia is a well-known cybersecurity researcher who runs the dark web security companies NightLion and Shadowbyte.
Here’s what the fake emails looked like:
Who was responsible?
Threat intelligence organization Spamhaus put forward a theory that this was a ‘scare-ware’ attack, designed to both make the FBI scramble and defame Vinny Troia, the person named in the email. At the time of the attack, no individual or group had claimed responsibility. Since then, a theory has circulated that an individual going by the name of ‘Pompompurin’ was behind the hack (they have allegedly tried to defame Troia before).
This theory seems to have been backed up by Brian Krebs, a security reporter, who was able to speak to Pompompurin. The hacker claims their attack was supposed to highlight vulnerabilities within the FBI’s email system and in a statement to KrebsOnSecurity, they said, “I could’ve 1000 percent used this to send more legit looking emails, trick companies into handing over data etc.”
According to Pompompurin, they were able to exploit a security gap on the FBI’s LEEP portal to sign up for an account using a one-time password embedded in the page’s HTML. From there, Pompompurin claims it was possible to edit both the sender address and email body, then execute the mass email campaign.
What was the impact?
The FBI has been quick to downplay the impact of the hack. They said that the LEEP is an email server used to communicate with state and local law enforcement, and it doesn’t mean that their wider email network has been compromised. They stated that the attacker had not managed to access any personally identifiable information (PII) on their network.
The FBI has also said that the exploited vulnerability has now been fixed. An official statement read: “Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails and confirmed the integrity of our networks.”
While recipients weren’t negatively impacted (apart from perhaps being mildly alarmed) this case shows how dangerous email account takeover can be. There was no malicious payload to the emails – but there could have been. These emails all made it through to recipients, as they genuinely came from FBI infrastructure. If there was a link to download ransomware within the emails, this would be a different story entirely.
Disaster narrowly avoided?
This case shows the very real risk of trusted email accounts becoming compromised and the attack could certainly have been much worse than it was. Egress CEO Tony Pepper stated: “This incident shows that anyone – even the FBI – is targeted by hackers. While the emails sent out via the FBI’s internal server were quickly discovered to be hoaxes, it’s a stark warning of the potential damage that can occur if threat actors gain access to internal email servers.”
“In this case, by compromising the Law Enforcement Enterprise Portal (LEEP), the cybercriminal used the FBI's reputation to try to discredit cybersecurity researcher Vinny Troia - but the damage to supply chain organizations could have been immense if a phishing email had been sent instead. This incident must be serve as a reminder to all organizations: where there is a vulnerability, hackers will find it.”
Protect your business from phishing attacks
Advanced phishing attacks can come from seemingly trusted sources within your supply chain. Email accounts within your own business can also become compromised from hacks or targeted spear phishing – and as we’ve seen in this recent case, even the FBI isn’t safe. To protect against the most sophisticated phishing attacks you need intelligent email security that analyzes both the context and content of emails.
Egress Defend uses machine learning and natural language processing to detect even the most advanced inbound email threats. Learn more about Defend here, or claim a free demo to see it in action for yourself.