The email servers of the Federal Bureau of Investigation were hacked on Friday night. The hackers were able to infiltrate the FBI's email system and send out threatening spam emails to over 100,000 people.
The FBI acknowledged on Saturday that its email servers were hacked, but noted the exploited systems were "taken offline quickly."
"The attackers used legitimate FBI systems to conduct the attack, using email addresses scraped from a database for the American Registry for Internet Numbers (ARIN), among other sources," technology blog Engadget reported. "Over 100,000 addresses received the fake emails in at least two waves."
The email sender was a cybersecurity division of the Department of Homeland Security, and the subject line reads: "Urgent: Threat actor in systems."
The hacker signed off as the U.S. Department of Homeland Security's Cyber Threat Detection and Analysis Group, which hasn't existed for years.
Spamhaus Project — an email spam watchdog group that provides "real-time actionable data on spam, phishing, botnets, and malware sources" — reported on the attack on Saturday.
"We have been made aware of 'scary' emails sent in the last few hours that purport to come from the FBI/DHS. While the emails are indeed being sent from infrastructure that is owned by the FBI/DHS (the LEEP portal), our research shows that these emails *are* fake," the non-profit threat intelligence organization wrote on Twitter. "These fake warning emails are apparently being sent to addresses scraped from ARIN database. They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please beware!"
The email reportedly informed recipients that their data was stolen by an "advanced persistent threat actor" named "Vinny Troia," who the email claims to work with the cybercriminal group The Dark Overlord. However, the real-life Vinny Troia is the head of security research of dark web intelligence companies NightLion and Shadowbyte — who believes he was named as the culprit by the hackers in an attempt to discredit him.
Troia told Bleeping Computer, a technology news website, that he believes an internet persona named "pompomourin" is behind the cyberattack.
"My best guess is 'pompomourin' and his band of minions [are behind this incident]," Troia told the outlet of the persona who has attacked him in the past.
"The last time they [pompompurin] hacked the national center for missing children's website blog and put up a post about me being a pedophile," Troia added.
Troia claimed that "pompompurin" contacted him a few hours before the spam email cyberattack and simply said, "Enjoy."
Austin Berglas — head of professional services at cybersecurity company BlueVoyant and a former FBI special agent — told Bloomberg the email system that was hacked was not the one FBI agents use to send classified information.
"This is not the classified system that was compromised," Berglas said. "This is an externally facing account that is used to share and communicate unclassified information."
The FBI and Cybersecurity and Infrastructure Security Agency released a statement on the hacked email servers.
"The FBI and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account," the statement read. "This is an ongoing situation and we are not able to provide any additional information at this time. The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to www.ic3.gov or www.cisa.gov."