The Federal Bureau of Investigation (FBI) email servers were hacked to distribute spam email impersonating FBI warnings that the recipients’ network was breached and data was stolen.
The emails pretended to warn about a “sophisticated chain attack” from an advanced threat actor known, who they identify as Vinny Troia. Troia is the head of security research of the dark web intelligence companies NightLion and Shadowbyte
The spam-tracking nonprofit SpamHaus noticed that tens of thousands of these messages were delivered in two waves early this morning. They believe this is just a small part of the campaign.
Legitimate address delivers fake content
Researchers at the Spamhaus Project, an international nonprofit that tracks spam and associated cyber threats (phishing, botnets, malware), observed two waves of this campaign, one at 5 AM (UTC) and a second one two hours later.
The messages came from a legitimate email address – [email protected] – which is from FBI’s Law Enforcement Enterprise Portal (LEEP), and carried the subject “Urgent: Threat actor in systems.”
All emails came from the FBI’s IP address 184.108.40.206 (mx-east-ic.fbi.gov), Spamhaus told us.
The message warns that a threat actor has been detected in the recipients’ network and has stolen data from devices.
Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure. Stay safe, U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group
Spamhaus Project told BleepingComputer that the fake emails reached at least 100,000 mailboxes. The number is a very conservative estimate, though, as the researchers believe “the campaign was potentially much, much larger.”
While this looks like a prank, there is no doubt that the emails originate from the FBI’s servers as the headers of the message show that its origin is verified by the DomainKeys Identified Mail (DKIM) mechanism.
Received: from mx-east-ic.fbi.gov ([220.127.116.11]:33505 helo=mx-east.fbi.gov) envelope-from DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fbi.gov; s=cjis; t=1636779463; x=1668315463; h=date:from:to:message-id:subject:mime-version; bh=UlyBPHe3aElw3Vfnk/pqYLsBAoJGDFR1NyZFcSfpl5g=; b=N3YzXzJEbQCTJGh8qqjkYu/A5DTE7yoloPgO0r84N+Bm2ae6f+SxzsEq nbjnF2hC0WtiVIMMUVGzxWSiZjq1flEygQGI/JVjjk/tgVVPO5BcX4Os4 vIeg2pT+r/TLTgq4XZDIfGXa0wLKRAi8+e/Qtcc0qYNuTINJDuVxkGNUD 62DNKYw5uq/YHyxw+nl4XQwUNmQCcT5SIhebDEODaZq2oVHJeO5shrN42 urRJ40Pt9EGcRuzNoimtUtDYfiz3Ddf6vkFF8YTBZr5pWDJ6v22oy4mNK F8HINSI9+7LPX/5Td1y7uErbGvgAya5MId02w9r/p3GsHJgSFalgIn+uY Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10166"; a="4964109" X-IronPort-AV: E=Sophos;i="5.87,231,1631577600"; d="scan'208";a="4964109" Received: from dap00025.str0.eims.cjis ([10.67.35.50]) by wvadc-dmz-pmo003-fbi.enet.cjis with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Nov 2021 04:57:41 +0000 Received: from dap00040.str0.eims.cjis (dap00040.str0.eims.cjis [10.66.2.72]) by dap00025.str0.eims.cjis (8.14.4/8.13.8) with ESMTP id 1AD4vf5M029322 for ; Fri,