FBI’s Email System Hacked to Send Fake Cybersecurity Warnings

On November 13th, hackers attacked the Federal Bureau of Investigation’s (FBI) email system. They sent out emails to over 100,000 addresses from the bureau’s legitimate email address, saying that the recipients have become the victims of a “sophisticated chain attack.”

The emails also claimed that the attack originated from Vinny Troia. What’s more, they falsely claimed that Troia was associated with The Dark Overlord, a notorious hacking group behind the leak of the fifth season of “Orange Is the New Black.”

In reality, Vinny Troia is a conspicuous cybersecurity researcher in charge of NightLion and Shadowbyte, two prominent dark web security companies. Troia theorizes that the said campaign could have been the work of an individual who goes by the name “Pompompurin.” Allegedly, the same person tried damaging the researcher’s reputation in the past.

A computer security reporter, Brian Krebs of KrebsOnSecurity, claims that Pompompurin is connected to the attack as he received an email saying, “Hi its pompompurin. Check headers of this email it’s actually coming from FBI server.”

Krebs reported that the hacker stated that the attack was meant to highlight the FBI’s email systems’ security vulnerabilities. Pompompurin further said that he could use the FBI’s email system to send more legit-looking emails to trick companies into sending over their data.

That said, the Twitter user @pompompur_in, tagged in several tweets by Troia, claims that they are not involved in the incident. In their blog post, they provide arguments as to why the accusations are ungrounded.

The FBI issued a press release regarding the attack. According to it, a software misconfiguration allowed an actor to leverage the LEEP, the Law Enforcement Enterprise Portal, to send fake emails. FBI confirms that the illegitimate email originated from an FBI-operated server.

However, the agency also clarifies that the said server had been used to push notifications for LEEP. In other words, it wasn’t part of the FBI’s corporate email system. Following that, no one gained access or compromised PII (personally identifiable information) or any other data on the agency’s network. The FBI also ensured that it confirmed the integrity of its network.