A threat actor gained access to FBI email servers over the weekend and sent fake security advisories, but the repercussions could have been far more dangerous.
The Spamhaus Project, a nonprofit organization that tracks spam addresses, announced on Saturday morning that it had received reports of suspicious emails that were sent from the Law Enforcement Enterprise Portal (LEEP), which is how the FBI communicates with state and local law enforcement partners. According to Spamhaus, the emails contained a fake warning that claimed recipients had suffered a supply chain attack.
In a statement issued Saturday, the FBI said both it and the Cybersecurity and Infrastructure Security Agency (CISA) were aware of a threat actor using the FBI email account, @ic.fbi.gov, to send fake messages. While the statement referred to the incident as “ongoing,” it also noted that the “impacted hardware was taken offline quickly.”
An update on Monday provided more information, including how the FBI’s IT infrastructure was hacked. The FBI said a software misconfiguration temporarily allowed an actor to leverage LEEP and send out fraudulent warnings.
“While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service,” the statement said. “No actor was able to access or compromise any data or PII [personal identifiable information] on the FBI’s network.”
The Spamhaus Project confirmed that although the emails were fake, they were sent from infrastructure owned by the FBI and the Department of Homeland Security. Spamhaus addressed the incident on Twitter, claiming the emails were sent to addresses taken from the American Registry for Internet Numbers (ARIN) database.
“They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please Beware,” Spamhaus wrote on Twitter.
One example, according to a screenshot from Spamhaus, showed messages with warnings in the subject such as “Urgent: threat actor in systems.” While the threat actor achieved high level access into law enforcement IT, it appears it was only used to send fake emails, and those emails did not contain malicious links.
Infosec journalist Brian Krebs interviewed an anonymous hacker operating as “Pompompurin” who claimed responsibility for the hack and said they could have crafted more convincing emails, but the motive was to reveal the vulnerability in LEEP.
In the updated statement Monday, the FBI confirmed that the hack was due to a software vulnerability, though they did not attribute the hack to a specific threat actor. According to the statement, the FBI “quickly remediated” the flaw, as well as “confirmed the integrity” of its networks.
SearchSecurity contacted the FBI for more information on the remediation actions taken; the FBI declined to comment.