“We have been made aware of ‘scary’ emails sent in the last few hours that purport to come from the FBI/DHS [Department of Homeland Security],” the group, Spamhaus Project, wrote on Twitter.
The messages came from a legitimate email address—email@example.com—from the Law Enforcement Enterprise Portal (LEEP), which is owned by the FBI and DHS, according to the group. However, it noted that “our research shows that these emails *are* fake.”
The FBI, part of the Department of Justice, said in a statement that it and the Cybersecurity and Infrastructure Security Agency (CISA) are both “aware of the incident this morning involving fake emails from an @ic.fbi.gov email account.”
The agency stated that although the affected hardware was “taken offline quickly upon discovery of the issue,” the situation is an ongoing one, and it won’t be providing additional information for the time being.
The emails that were sent to tens of thousands of recipients in the database appeared to be warnings of a possible cyberattack, according to a copy of the email that Spamhaus shared on Twitter. That email showed a subject line that read, “Urgent: Threat actor in systems” and signed off as DHS.
“Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack,” the email reads. “We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord[.] We highly recommend you to check your systems and IDS monitoring.”
“These fake warning emails are apparently being sent to addresses scraped from ARIN database,” the group wrote. “They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please beware!
“From what other people are reporting, this was not limited to the ARIN database. Other, non-ARIN related harvested emails were included in the spam run.”
Spamhaus also provided possible motivations that could underlie the spam emails that came with no trojan links or attachments.
“Triple action: Convince people to shut things down just in case, while veracity is determined, character assassination of Vinny Troia who was mentioned in it, and flooding the FBI with calls,” the group wrote. “Or, as someone else said, ‘for the lulz.’ Maybe all of the above. Maybe something else!”
Vinny Troia, a security researcher and founder of dark web intelligence company Shadowbyte, commented about the situation on Twitter.
“Wow I can’t imagine who would be behind this. #thedarkoverlord aka @pompompur_in,” he wrote.
He told Bleeping Computer on Nov. 13 that the individual “pompompurin” is likely the culprit behind the FBI email system compromise. He noted that the individual has allegedly been involved in a past incident that sought to damage his reputation.
“The last time they [pompompurin] hacked the national center for missing children’s website blog and put up a post about me being a pedophile,” he said.
Troia also stated that the individual had contacted him a few hours before spamming the FBI email servers and that the individual tends to alert him when they’re about to discredit him.