The email servers of the FBI were hacked to distribute spam email impersonating the Department of Homeland Security (DHS) warnings of fake sophisticated chain attacks from an advanced threat actor.
The message tells the recipients that their network has been breached and that the threat actor has stolen their data.
According to the mail the attack was done by a threat actor known as Vinny Troia, who is the head of security research of threat intelligence firms NightLion and Shadowbyte.
The message reads that “Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies through multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord.”
The international nonprofit organization Spamhaus Project that monitors spam campaigns warned of emails that claims to come from the FBI/DHS. They noticed that tens of thousands of these messages were delivered in two waves and believe this is just a small part of the campaign.
The fake warnings are being sent to addresses scraped from American Registry for Internet Numbers (ARIN) database. The fake emails were sent from the IP address 188.8.131.52 (mx-east-ic.fbi.gov), the sender appears to be the Federal Bureau of Investigation’s Law Enforcement Enterprise Portal (LEEP) (email@example.com).
The FBI confirmed that the content of the emails is fake and that they were working on solving the issue as their helpdesk is flooded with calls from worried administrators.
The people behind this campaign was likely motivated to discredit Vinny Troia, the founder of dark web intelligence company Shadowbyte, who is named in the message as the threat actor responsible of the fake supply-chain attack.
Vinny Troia blamed a threat actor known as “pompomourin,” as the author of the attack.