An unidentified hacker group managed to get official FBI email servers hacked, on November 13th. With this illicit access, the perpetrators have used the Bureau’s email servers to send out mass spam mails which warn recipients about a supposed cyber-attack.
This was the content of the spam email, riddled with mistakes:
“Urgent: Threat actor in systems
Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be [REDACTED], whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure.”
It was Carel Bitter, Chief Data Officer at a non-profit threat intelligence organization, who spotted the email server breach in an FBI server which was used for their public ticketing and alerting system.
The recipients of the spam FBI mailers were calling the agency in worries of the alleged cyber-attack. This alerted the FBI agents to the fact that their official email servers had been compromised. More worrisome than the spam wave (because the attack was obviously fake) was the fact that the spam mails sent from the hacked FBI email servers passed the SPF and DKIM security checks. This indicated that the hackers weren’t just impersonating official FBI email accounts but they were actually inside the FBI’s email servers.
The hacked FBI email server taken down
FBI soon investigated the possible infiltration and confirmed that the email server was indeed compromised. The hacked email server in question was promptly taken down to prevent further spam.
Bitter is of the opinion that the hackers exploited some vulnerability in the hacked FBI email server’s architecture. The root cause of this infiltration might be something different, though, and is still under investigation. Furthermore, the hacker group also seems to have accessed some or the other public databases of email addresses to send out the spam emails. The American Registry of Internet Numbers (ARIN) can be a possible source for the same as it contains email addresses used for web domain registrations. But Bitter’s organization has also found some emails which werenot in the ARIN database, which indicates that there were other sources.
More IT and security resources and updates.