IOTW: Hacker highlights FBI vulnerabilities in email hoax

The FBI was recently subject to a hack of its own servers which resulted in fake cyber security alerts being sent to many via a misconfigured web portal. This has been more than just an isolated incident, however, and forms part of an ongoing saga.

The latest attack, which occurred late on 12 November, saw a hacker take advantage of a software misconfiguration which allowed them to use an official FBI email address to send fake security alerts.

The illegitimate email originated from an FBI-operated server, the FBI said in a statement on 14 November, with the server dedicated to pushing notifications for the Law Enforcement Enterprise Portal (LEEP) and was not part of the FBI’s corporate email service.

While the attack highlighted FBI cyber vulnerabilities, the threat actor was not able to access or compromise any data or personally identifiable information on the FBI’s network.

“Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks,” the FBI said.

Hacker identity revealed

It is understood that the hacker is an anonymous individual operating under the name ‘Pompompurin’.

Vinny Troia, founder of the ShadowByte, a threat intelligence company, said in a ShadowByte blog post that he was initially warned of the attack before it happened with a simple direct message on Twitter from the hacker saying “enjoy”.

This is not the first time Pompompurin has contacted Troia according to his blog and he has been given “a heads up” on other attacks by the same individual. The FBI attack is just the latest in a line of clashes between the Pompompurin and Troia.

In an interview with information security journalist Brian Kerbs, published on KrebsOnSecurity, Pompompurin claimed he could have sent more legitimate-looking emails and the hack was done to point out “glaring vulnerabilities in the FBI’s system”.

Cybercrime is global

A US congressman has been following the hacker’s activity closely since July 2021. Representative Lou Correa, chairman of the House Homeland Security Subcommittee on Oversight, Management and Accountability, noted that the 12 November breach was just the latest in a long string of data breaches.

Correa said: “The evidence indicates that it can be attributed to one individual operating in Calgary, Canada. Unfortunately, Canadian cyber security and privacy laws have made it difficult to arrest this individual and extradite him once he is apprehended.”

The congressman also said that since July 2021 he has been receiving research and intelligence from the leadership team at ShadowByte, the threat intelligence company founded by Troia, investigating the hacker.

Correa also stated that in review of the data the US must do better in our coordination with other countries for the extradition of cybercrime suspects.

“While recent efforts at curbing international Ransomware organizations have focused on extradition, this has been limited to Russia and China. Meanwhile, cybercriminals in other parts of the world, much closer to our own borders, seem to have carte blanche while they hide behind their country’s laws. My office will continue to push the importance of this issue in Congress and to the White House,” he said.

Leave a Reply