Malicious actors reportedly attacked the Federal Bureau of Investigation (FBI) mail system Saturday (November 13, 2021) morning, ostensibly as a DHS warning of a cyberattack. The FBI confirmed that attackers compromised its mail servers and sent out bogus messages. Despite spending millions to ensure cybersecurity, the FBI’s network has been compromised. The attackers could have used the emails for spear phishing and ransomware attacks but instead outlined how recipients avoid cybercrimes. They used a compromised server to send spam, warning that someone could steal their data.
Email Security Breach On The FBI in Detail
It looks like the FBI was being used as a pawn in a fight between malicious actors and security researchers. The Federal Bureau of Investigation’s Cyber and Infrastructure Security Agency (CISA) has confirmed that intruders broke into the FBI’s mail platform and sent fake messages from the system. They sent “at least” 100,000 spam messages by gaining access to the FBI’s mail server by compromising its email security.
The FBI confirmed that their domain name and internet address, fbi.gov, was used by the perpetrator to blast thousands of fake cybercrime investigation emails. The FBI said that a software misconfiguration temporarily exposed its Law Enforcement Enterprise Portal (LEEP) to malicious actors who used it to send fake emails. The office also noted that no personal data or information was compromised during the break-in.
News And Reactions Surrounding The Email Security Attack Against FBI
The FBI’s email server was compromised to spread spam, imitating the FBI’s warnings that someone had attacked the recipient’s network and stolen data. Malicious actors used the mail servers of the FBI to send thousands of fake messages claiming that their recipients were victims of a “sophisticated chain attack,” thus causing the recipients to panic.
While the intelligence organization ensured that the emails were fake, a tweet by Spamhaus noted that the emails caused many inconveniences because the headers were actual and came from the FBI infrastructure. They further added that all emails came from the FBI IP address 220.127.116.11 (mx-east-ic.fbi.gov).
While scammers often pretend they are sending emails from someone else’s address, the metadata of the emails clearly shows that the FBI server sent them in this case, said Alex Grosjean, a researcher at the Spamhaus Project. The fake emails then sparked a spate of calls to managed security providers, as Kevin Beaumont, the chief security officer at Arcadia Group, noted during the weekend.
Who is Behind The Cyberattack on the FBI?
The office said the attackers were sending emails from a legitimate FBI address. An interview with the person claiming responsibility for the prank reveals that he sent the spam messages using an unsafe code on the FBI’s online portal for exchanging information with state law enforcement and local authorities. ‘Krebs On Security’ got a similar email. The strange email contained a warning regarding cybersecurity writer Vinny Troia and The Dark Overlord’s malicious group. The cybersecurity organization Night Lion published a study on The Dark Overlord earlier this year.
Pompompurin, the attacker, also talked to ‘Krebs On Security’ and claimed that a simple script could replace parameters with the subject and body of the message and automatically send a fake letter to thousands of email addresses. Pompompurin continued to tell how he could launch a massive spam campaign by manipulating the sender’s address and the body of the letter.
FBI’s Official Statement
The FBI-controlled server that sent the messages was isolated from the agency’s corporate email. It did not allow access to any personal data or information on the FBI’s network. The FBI explained that the attackers behind the spam campaign used software settings to send emails.
The FBI released a statement the next day (November 14, 2021) saying that the emails were sent by someone who took advantage of a ‘software misconfiguration’ that affected the Law Enforcement Enterprise Portal (LEEP). The agency uses LEEP to communicate with state law enforcement partners. The FBI has confirmed that the fake emails were not sent by anyone with access to the FBI’s technology infrastructure. It was the work of someone abusing a misconfigured web portal, and the incident compromised no personal data or information.
Previous Mentions of Compromised System of The FBI
In 2015, cyber activists said they could break into the system after discovering that only one password was required to access various national security systems and law enforcement agencies. Therefore, the question arises why the FBI didn’t take preventive measures at the time. Regardless of who briefly took possession of the FBI email on the 13th, the entire incident left cybersecurity professionals and law enforcement officials wondering why the one behind the incident did not use their FBI email access to send more malicious and spear-phishing emails. For example, they could have sent legitimate-looking emails with malware or ransomware attachments that compromised trusted FBI partners.
Around 92% of malware comes through emails. Today, ransomware protection and phishing protection have become imperative due to the rise in email security breaches. When one of the most secure global organizations becomes a victim of an email breach and server compromise, you need to reevaluate your organization’s email security posture as well and adopt relevant measures if they haven’t been adopted already.