Over the weekend none other than the FBI had their system hacked. The hackers then proceeded to send email out from “pompompurin” sent ‘from’ email@example.com with the subject “Urgent: Threat actor in systems”, using the FBI’s own mail servers and warning of a “threat” from “Vinny Troia” whom, the email says, is part of an extortion gang called “TheDarkOverlord”. The emails went primarily to system administrators and IT professionals, whose email addresses seem to have been gleaned from WHOIS info.
Curiously the only action advised by the email was to be careful – there was no malicious link to click, no phone number to call – and so what this seems to be is one of the first publicly known examples of completely online SWATting, as Vinny Troia is, in fact, a known security professional.
The FBI says that the system that the hackers breached was an unclassified email server, specifically used for external communications. Still, having the email check out as actually from an FBI server made it seem legitimate, as even the email authentication checked out. In fact, according to Krebs on Security, some of the email also contained the message “Hi its pompompurin. Check headers of this email it’s actually coming from FBI server. I am contacting you today because we located a botnet being hosted on your forehead, please take immediate action thanks.”
In a statement the FBI said that “No actor was able to access or compromise any data or (personally identifiable information) on FBI’s network. Once we learned of the incident we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
Where, in this case, “confirmed the integrity of our networks” seems to be vaguespeak for “confirmed that the integrity of our networks was found wanting”, given that their network was hacked, and the bad guys were able to send email out from the FBI’s own network.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
Here’s the full text of that email:
Full Text of Email Sent by Hackers from FBI’s Hacked Email Server
Subject: Urgent: Threat actor in systems
Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure.
U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group