FBI email system compromised by hackers who sent false cyberattack alert

Hackers compromised the Federal Bureau of Investigation's external email system on Saturday, sending spam emails to potentially thousands of people and companies with a false warning of a cyberattack.

The FBI announced in a statement that the fake emails were sent from the Law Enforcement Enterprise Portal system used to communicate with state and local officials, which is not part of the FBI's larger corporate email service.

“No actor was able to access or compromise any data or (personally identifiable information) on the FBI network,” the bureau said. “As soon as we learned of the incident, we quickly remediated the software vulnerability, warned partners to ignore the fake emails, and confirmed the integrity of our networks.”

Cybersecurity experts said the fact that the email did not include any malicious attachments could indicate that the hackers encountered a vulnerability in the FBI portal and did not have a specific plan to exploit it.

“It could have just been a group or individuals looking to get some street cred to advertise on secret forums,” said Austin Berglas, a former assistant special agent in charge of the FBI’s New York office’s cyber division, who is not involved in any government investigation of the incident. “I would think it would be some kind of criminal group or some kind of ‘hacktivist’ group,” rather than a coordinated, state-backed attack.

The compromised system was an unclassified server used by FBI personnel to communicate outside the organization, and the hackers did not appear to have access to internal databases containing state secrets or classified information, said Berglas, who is now the global head of professional services at cybersecurity firm BlueVoyant.

A copy of the alleged spam email was posted on Twitter by the Spamhaus Project, an international watchdog that tracks spam and related cyber threats like phishing, malware and botnets. The subject line was: “Urgent: Threat actor in systems” and the email purported to be a warning from the Department of Homeland Security about a cyberattack.

Spamhaus, which analyzed the emails’ metadata, wrote on Twitter that the fake emails were “causing a lot of disruption because the headers are real, they really come from the FBI infrastructure.” They were apparently sent to thousands of addresses, at least some taken from the database of the American Registry for Internet Numbers, the nonprofit organization responsible for managing the distribution of Internet addresses in the North American region.

The email referred to an international hacking group called Dark Overlord, which is suspected of stealing data and demanding large rewards for its return. The group is suspected of stealing student records in several US states and episodes of Netflix shows in 2017. A Briton was sentenced to five years in prison for his role in the hacking group last year.

The email claimed that the “threat actor” appeared to be cybersecurity expert Vinny Troia. Troia published an investigation of Dark Overlord last year.

Troia could not immediately be reached for comment. On Twitter, he speculated that he may have been the subject of what he called a smear campaign. “Should I be happy that the kids who hacked the @FBI email servers decided to do it in my name?” he wrote.

Although online scammers often create fake emails that claim to be from official sources, it is highly unusual for a hacker to break into a government server – and experts say the incident highlights the vulnerabilities of email communication.

Russian government hackers last year breached the Treasury and Commerce departments, along with other U.S. government agencies, as part of a global espionage campaign, and Chinese government hackers are believed to have compromised dozens of U.S. government agencies.

“It could have been a lot worse,” Berglas said. “When you have ownership of a trusted dot-gov account like this, it can be weaponized and used for pretty nefarious purposes. [The FBI] probably dodged a bullet.”