[outages] not quite an outage, more a hack, "Urgent: Threat actor in systems" emails from FBI infrastructure
Glenn McGurrin
outages-org at cloudoptimizedsmb.com
Sat Nov 13 11:11:57 EST 2021
not quite an outage, more a hack, but thought it relevant. As always
replies to -discussion unless someone sees an official statement from
the FBI or other government agencies (I have not seen one yet).
I had a bit of an odd one this morning, I received two emails through
contacts listed in whois subject: "Urgent: Threat actor in systems" from
"eims at ic.fbi.gov". I was all set to ignore them as an odd bit of spam
but did a quick check on the headers and was surprised to see it had
valid dkim and spf and was from an actual FBI IP, queue real worry
starting (as odd and off as the email content was, it's a lot more real
when suddenly it's either legit or the FBI got hacked to send the
email). Luckily (for some definition of lucky) it looks like it was a
case of something being hacked on the FBI's end as calling they
immediately knew what I was calling about and said they had dealt with
the compromised equipment. Further googling after that call shows a few
more reports of this ex.
https://twitter.com/spamhaus/status/1459450061696417792 and
https://www.newsweek.com/fbi-email-system-reportedly-hacked-fake-dhs-cyberattack-messages-1648966
but I'd figured to mention it here so others don't get caught quite as
off guard.
Best guess I can come up with is it's an attempt to ruin the person
mentioned in the email's name and/or promote the name of the mentioned
gang. The specifics seem off for trying to get someone swatted given if
you thought this was real what local agency would want to storm a
federal operation with swat agents, and if you thought this was all
fake, then you wouldn't go either. That or create FUD for any other
warnings issued and distract from something else going on.
Full body of the email:
Our intelligence monitoring indicates exfiltration of several of your
virtualized clusters in a sophisticated chain attack. We tried to
blackhole the transit nodes used by this advanced persistent threat
actor, however there is a huge chance he will modify his attack with
fastflux technologies, which he proxies trough multiple global
accelerators. We identified the threat actor to be Vinny Troia, whom is
believed to be affiliated with the extortion gang TheDarkOverlord, We
highly recommend you to check your systems and IDS monitoring. Beware
this threat actor is currently working under inspection of the NCCIC, as
we are dependent on some of his intelligence research we can not
interfere physically within 4 hours, which could be enough time to cause
severe damage to your infrastructure.
Stay safe,
U.S. Department of Homeland Security | Cyber Threat Detection and
Analysis | Network Analysis Group
More information about the Outages
mailing list