Unknown attackers succeeded in sending emails from an account on the FBI’s servers. On the early Saturday morning (German time) of November 13th, 2021, many US administrators struggled with a sudden flood of emails. The sender was supposedly the US Federal Bureau of Investigation (FBI). The emails with the subject “Urgent: Attacker in the System” warned of a “sophisticated chain attack” by an advanced threat actor.
Easy to see through as false news
The message was sent from the IP address 153.31.119.142 (mx-east-ic.fbi.gov) with the sender eims@ic.fbi.gov. Who yourself the text who took a closer look at the mail and was well versed in the security scene, but quickly realized that this warning had to be a fake. Because Vinny Troia was named as the threat actor. Troia is the head of security research for dark web intelligence companies NightLion and Shadowbyte. The man was then showered with phone calls from affected users.
The non-profit organization SpamHaus will soon confirm in a tweetthat the warning emails are indeed from the FBI / DHS (Federal Bureau of Investigation / Department of Homeland Security), but the content is simply fakes.
These fake warning emails are sent to addresses that appear to have been taken from the ARIN database. In total, it is believed that there were more than 100,000 e-mails that caused a lot of disturbance to the recipients because the message headers were real and they were sent by the FBI infrastructure. Spam filters let these messages through without objection.
FBI hardware taken offline
SpamHaus later wrote that based on their telemetry, the mails were sent in two waves at 5:00 a.m. (UTC) and 7:00 a.m. (UTC). Since these emails do not contain any names or contact information in the signature section, SpamHaus asks the recipients to be careful.
A few hours later the FBI released a thin statement Stating that the FBI and CISA were aware of the incident in which fake emails were sent from an @ ic.fbi.gov email account. The situation is not yet over and no further information can be made available at this point in time. The affected hardware was quickly taken offline after the problem was discovered.
Motives and perpetrators unknown
The FBI urges the public to continue to be wary of unknown senders in emails and urges them to report suspicious activity to ic3.gov or cisa.gov. However, since the e-mails in question come from the trustworthy e-mail servers, this notice does not really help those concerned.
Who was behind the hack is unknown. Security circles speculate about the background. Damage to the reputation of Vinny Troia and its companies is a possible motive. Or someone wanted to show that the FBI’s IT infrastructure can also be hacked.
(tiw)
