By Staff Writer
Hackers have accessed the Federal Bureau of Investigation’s (FBI) Law Enforcement Enterprise Portal (LEEP) system to send approximately 100,000 emails saying recipients were victims of a sophisticated cyberattack. The emails originated from an eims@ic.fib.gov email account.
An international non-profit enterprise called Spamhaus that tracks cyber threats uncovered the emails on Saturday morning.
“While the emails are indeed being sent from infrastructure that is owned by the FBI/DHS (the LEEP portal), our research shows that these emails are fake spam,” Spamhaus posted online.
“These fake warning emails are apparently being sent to addresses scraped from ARIN database. They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure.”
The hackers sent out the emails with the subject “Urgent: Threat actor in systems.” But Spamhaus notes there was no call to action. They suggest various possible motives were at play, including simple scareware, embarrassing the FBI, and damaging a high-profile figure in the cybersecurity industry.
The hackers scrapped the email addresses from the American Registry for Internet Numbers (ARIN) database. The eims@ic.fib.gov email address is attached to the FBI’s Criminal Justice Information Services division.
The email warned of a cyberattack and referenced a hacker group called the Dark Overlord. That group was the subject of an investigation in 2020 by the high-profile Vinny Troia, head of security research of the dark web intelligence companies NightLion and Shadowbyte.
Mr Trioa was named as behind the threat in the fake emails. He calls the incident a smear attack. Trioa has been subject to similar attacks recently.
Some media reports are flagging a hacker known as Pompompurin, a known adversary of Vinny Troia. One cybersecurity journalist received a message from Pompompurin claiming responsibility as the spam attacks were unfolding. He claims he breached the FBI server to highlight its vulnerabilities.
Spam emails are nothing unusual. What is unusual is them coming from a government server. The FBI says the hackers seized on a software misconfiguration to send out the emails.
“The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails,” they said in a statement.
“LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate emails service.”
The agency says no sensitive information was accessed or compromised. Once notified about the attack, the FBI says it remedied the software vulnerability immediately.
Although it services law enforcement agencies, intelligence groups, and criminal justice entities, the LEEP portal allowed anyone to apply for an account. Part of the application process includes receiving a one-time passcode from eims@ic.fbi.gov.
Pompompurin says that passcode was also in the HTML code of the web page. He says it was then a simple process of changing the text in the subject and text content fields.
Pompompurin criticised the FBI, saying he never expected to see such vulnerabilities on a government website. Since the weekend, the FBI has stopped allowing anyone to open an account on its LEEP portal.