Get the latest BPR news delivered free to your inbox daily. SIGN UP HERE
Hackers reportedly gained access to and used an internal FBI email server on Saturday to transmit emails to thousands of organizations warning that an otherwise well respected cybersecurity researcher was trying to commit an “attack” on their own servers.
According to The Spamhaus Project, an internationally recognized group that fights computer crime, the emails came directly from [email protected] — a legitimate FBI account that’s reportedly part of the bureau’s Law Enforcement Enterprise Portal (LEEP).
But despite an FBI email address, the hackers pretended to be affiliated with the U.S. Department of Homeland Security.
“Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators,” the emails read.
“We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure. Stay safe, U.S. Department of Homeland Security.”
A screenshot of the emails may be seen in the tweets below posted by Spamhaus:
We have been made aware of “scary” emails sent in the last few hours that purport to come from the FBI/DHS. While the emails are indeed being sent from infrastructure that is owned by the FBI/DHS (the LEEP portal), our research shows that these emails *are* fake.
— Spamhaus (@spamhaus) November 13, 2021
These fake warning emails are apparently being sent to addresses scraped from ARIN database. They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please beware!
— Spamhaus (@spamhaus) November 13, 2021
These emails look like this:
Sending IP: 153.31.119.142 (https://t.co/En06mMbR88)
From: [email protected]
Subject: Urgent: Threat actor in systems pic.twitter.com/NuojpnWNLh— Spamhaus (@spamhaus) November 13, 2021
In the tweets, Spamhaus makes it clear that the emails were “fake,” though the organization stresses that they were sent from legitimate “infrastructure that is owned by the FBI/DHS.”
It further notes that the addresses of the recipients were scraped from the American Registry for Internet Numbers database. ARIN is essentially an Internet phone book, except it uses Internet Protocol (IP) addresses instead of phone numbers.
The FBI for its part released a statement early Saturday evening acknowledging the attack but stressing that “[t]he impacted hardware was taken offline quickly upon discovery of the issue.”
#FBI Statement on Incident Involving Fake Emails @CISAgov https://t.co/pkF8qtAeH1
— FBI (@FBI) November 13, 2021
The man mentioned in the emails, Vinny Troia, is in fact a well-regarded cybersecurity expert, and this isn’t his first rodeo. Hackers previously came after him last year after he published a book exposing the innerworkings of their operations.
“A hacker claims to have breached the backend servers belonging to a US cyber-security firm and stolen information from the company’s ‘data leak detection’ service. The hacker says the stolen data includes more than 8,200 databases containing the information of billions of users that leaked from other companies during past security breaches,” ZDNet reported at the time.
“The databases have been collected inside DataViper, a data leak monitoring service managed by Vinny Troia, the security researcher behind Night Lion Security, a US-based cyber-security firm.”
Spamhaus believes the latest attack may have been motivated by a desire to assassinate Troia’s character.
Triple action: Convince people to shut things down just in case, while veracity is determined, character assassination of Vinny Troia who was mentioned in it, and flooding the FBI with calls. Or, as someone else said, “for the lulz”. Maybe all of the above. Maybe something else!
— Spamhaus (@spamhaus) November 13, 2021
As to who orchestrated the attack, Troia believes it’s the mastermind behind the very same hacker group — “the extortion gang TheDarkOverlord” — that the fake emails claimed that he himself was affiliated with.
That mastermind goes by the Twitter alias Pompompurin:
Wow I can’t imagine who would be behind this. #thedarkoverlord aka @pompompur_in https://t.co/Xd6XoZNRnl
— Vinny Troia, PhD (@vinnytroia) November 13, 2021
“My best guess is Pompompurin and his band of minions [are behind this incident]. The last time, they hacked the National Center for Missing Children’s site blog and put up a post about me being a pedophile,” he said in a statement to Bleeping Computer.
That wasn’t very nice of them. And indeed, all the current evidence does point to Pompompurin again being the perpetrator, including this:
“‘[P]ompompurin’ contacted Troia a few hours before the spam email campaigns started to simply say ‘enjoy,’ as a warning that something involving the researcher was about to happen. Troia said that ‘pompompurin’ messages him every time they start an attack to discredit the researcher,” according to Bleeping Computer.
Engadget notes that these sorts of feuds between cybersecurity researchers and the hackers they expose is nothing new: “In March, attackers exploiting Microsoft Exchange servers tried to implicate security journalist Brian Krebs using a rogue domain.”
Regarding Troia, he’s popular enough that he’s even made appearances on Newsmax:
What is definitely “rare,” Engadget continues, is hackers using “real domains from a government agency like the FBI as part of their campaign.”
But it’s a double-edged sword, as the FBI is a federal organization that’s not known for its congenial temperament.
“While [this strategy] may be more effective than usual (the FBI was swamped with calls from anxious IT administrators), it might also prompt a particularly swift response — law enforcement won’t take kindly to being a victim,” Engadget notes.
Hopefully, Pompompurin will “enjoy” the newfound attention from America’s leading law enforcement agency …
DONATE TO BIZPAC REVIEW
Please help us! If you are fed up with letting radical big tech execs, phony fact-checkers, tyrannical liberals and a lying mainstream media have unprecedented power over your news please consider making a donation to BPR to help us fight them. Now is the time. Truth has never been more critical!
- Lawmakers from both parties look to Mayorkas to explain Russian cyberattacks on US water systems - April 24, 2024
- INSIDER: Biden reportedly mulling ‘desperate’ exec order that could impact more than 1 million criminal aliens - April 24, 2024
- House Sgt. at Arms threatens GOP Rep to delete video of Dems waving Ukraine flags or else - April 24, 2024
Comment
We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the ∨ icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.
BPR INSIDER COMMENTS
Scroll down for non-member comments or join our insider conversations by becoming a member. We'd love to have you!