FBI e-mail server hacked to send fake cyber attack alerts

An attacker exploited the system misconfiguration to send legitimate-looking cyber security alerts to partners
Image: Shutterstock via Dennis

16 November 2021

The Federal Bureau of Investigation (FBI) has confirmed that a hacker exploited its systems to send fake e-mails to law enforcement partners alerting them to a supposed cyber attack.

The hacker exploited a misconfiguration in its Law Enforcement Enterprise Portal (LEEP) Web app to send legitimate-looking alerts to partners warning them that they had suffered a cyber attack and that a threat actor was currently in their system.

E-mails were sent to partners from an official FBI email account with an @ic.fbi.gov domain, the headers of which also appeared to be legitimate after being sanitised.

The hacker falsely informed recipients they had fallen victim to a “sophisticated chain attack” attributed to Vinny Troia, a reputable security researcher and oft subject of memes in the cyber security industry.

Troia rejected his involvement in the attack shortly after its discovery.

The FBI confirmed the threat actor was unable to access or compromise any sensitive data held by the FBI, and said the server used to send the false e-mails was used only to push notifications for LEEP rather than being connected to the FBI’s corporate e-mail service.

“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake e-mails,” it said on Saturday. “LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners.

“While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate e-mail service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”

Researchers at Spamhaus drew attention to the early reports of fake e-mails on Saturday, saying the recipients were chosen indiscriminately and e-mail addresses were scraped from an ARIN database.

ARIN is a regional internet registry responsible for the management and distribution of Internet number resources such as internet protocol (IP) addresses and autonomous system numbers (ASNs).

Security researchers reported having contacted the FBI at the time of the incident said the staff were “slammed” with calls from alarmed recipients trying to verify if the correspondence was legitimate or not.

A hacker known by the alias Pompompurin claimed responsibility for the attack in an interview with security researcher Brian Krebs. They said they wanted to draw attention to the security vulnerability in the LEEP Web app.

Pompompurin said LEEP allowed anyone to apply for an account, despite it being reserved only for law enforcement partners of the FBI. Account authentication was also run through a one-time passcode e-mailed to the applicant – a code which the FBI’s website leaked in the HTML code of its Web page.

When users requested a confirmation code, they were sent a POST request which included parameters for the e-mail subject and body content. Pompompurin replaced the parameters with his own e-mail subject and body to automate thousands of e-mail sends.

Experts have suggested that the level access Popompurin was able to achieve was worrying and that a wider attack campaign could have bene launched to compromise law enforcement partners across the US.

“The hack could have enabled an attacker to disperse a phishing e-mail campaign to all the FBI’s state and local law enforcement partners – one that was designed to compromise US-wide law enforcement,” said Alan Calder, CEO at GRC International Group.

Future Publishing

Professional Development for IT professionals

The mission of the Irish Computer Society is to advance, promote and represent the interests of ICT professionals in Ireland. Membership of the ICS typically reduces courses by 20%. Find out more

Read More:

Back to Top ↑