White Hat Institute

Fake cybersecurity alerts were sent out from the hacked FBI’s email server

Federal Bureau of Investigation (FBI)
Federal Bureau of Investigation (FBI) - (This image was retrieved from trbimg.com)

The Federal Bureau of Investigation (FBI) email servers were hacked to distribute spam email impersonating FBI warnings that the recipients’ network was breached and data was stolen. 

The emails appeared to warn about a “sophisticated chain assault” perpetrated by an advanced threat actor named Vinny Troia. Troia is the chief of security research at NightLion and Shadowbyte, two dark web intelligence firms. Thousands of these communications were distributed in two volumes early this morning, according to SpamHaus, a spam-tracking organization. They feel this is only a small component of the campaign’s overall strategy.

The cybercriminals were able to send emails to over 100,000 addresses, as reported by Bleeping Computer, all of which were scraped from the American Registry for Internet Numbers (ARIN) database. They utilized the FBI’s public-facing email system, according to Bloomberg, making the communications appear more official. Conforming to cybersecurity expert Kevin Beaumont, the email’s headers are validated as coming from FBI servers using the Domain Keys Identified Mail (DKIM) procedure, which is part of the method Gmail employs to place brand logos on confirmed corporate emails.

The FBI issued a statement about the incident, stating that it is an “ongoing matter” and that “the impacted hardware has been taken offline.” Apart from that, the FBI claims it has no additional information to disclose at this time.

Whoever is behind this endeavor is most possibly trying to undermine Vinny Troia, the founder of the dark web intelligence firm Shadowbyte, who is named in the email as the threat actor behind the bogus supply chain attack. Troia has a long-standing rivalry with individuals of the RaidForums hacking community, and they frequently deface websites and do minor hacks, blaming it on the security researcher. Vinny Troia alluded to someone identified as “pompomourin” as the probable perpetrator of the spam attempt when tweeting about it. According to Troia, the individual has previously been linked to acts intended to harm the security researcher’s reputation.