If your organization was the recipient of a Saturday morning email purporting to be the FBI informing you that your organization was the victim of a sophisticated cyberattack, you can be rest assured that it was fake and the result of a hack of the agency’s infrastructure.
According to security researchers and the FBI, a threat actor gained temporary access to federal IT infrastructure to send emails to at least 100,000 people. The fake emails place the blame for the fake attack on a legitimate security researcher.
The emails came from a legitimate @ic.fbi.gov FBI email account, but the agency said in a statement that the FBI-operated server was not part of the bureau’s corporate email service, so there was no access or compromise of information on the FBI’s network.
According to the FBI, a software misconfiguration gave a threat actor temporary access to the Law Enforcement Enterprise Portal that it uses to communicate with state and local law enforcement partners.
The FBI says it quickly took the impacted hardware offline after discovering the issue.
“No actor was able to access or compromise any data or PII on the FBI’s network,” the agency said in an update Sunday. “Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
Cybersecurity research firm Spamhaus has largely been credited with spotting this first early Saturday morning when the company confirmed via Twitter that the emails—although sent from FBI infrastructure—were fake.
“These fake warning emails are apparently being sent to addresses scraped from ARIN database,” Spamhaus tweeted. “They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please beware!”
The company told BleepingComputer that at least 100,000 fake emails were sent.
According to a screenshot tweeted by the company, the emails purport to notify the recipient that several of their “virtualized clusters” were exfiltrated in a “sophisticated supply chain attack.”
The email identifies Vinny Troia as the threat actor working with extortion gang TheDarkOverlord. In reality, Troia is a cybersecurity researcher and CEO of Night Lion Security.
Troia’s firm in January published research of TheDarkOverlord, a hacking group that has targeted Disney, Netflix, medical facilities and school districts.