Did someone manage to crack into the FBI's servers? If events at the weekend are anything to go by, the United States’ federal police is not as secure as you’d expect.
So, what happened and who was behind the apparent cyberattack?
In a statement, the FBI and the department's Cybersecurity and Infrastructure Agency (CISA) confirmed the incident, without providing details.
“The FBI and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account,” users could read on the FBI’s website Saturday. “This is an ongoing situation, and we are not able to provide any additional information at this time. The impacted hardware was taken offline quickly upon discovery of the issue”.
"We continue to encourage the public to be cautious of unknown senders and urge you to report any suspicious activity," the statement added.
What more do we know?
A few moments after the FBI made their attack public, the European organisation that tracks spam and related cyber threats, Spamhaus, tweeted that the emails were fake.
“We have been made aware of "scary" emails sent in the last few hours that purport to come from the FBI/DHS,” the tweet said. “While the emails are indeed being sent from infrastructure that is owned by the FBI/DHS (the LEEP portal), our research shows that these emails *are* fake.”
There was no indication as to how these emails were sent, either by someone with access to the server or by an outside hacker.
On Sunday, the FBI released another statement confirming that no harm was done.
“No actor was able to access or compromise any data or (personally identifiable information) on FBI’s network,” the bureau said. “Once we learned of the incident we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
According to The Washington Post, cybersecurity experts said “the fact that the email didn’t include any malicious attachments could indicate the hackers stumbled across a vulnerability in the FBI portal and didn’t have a particular plan to exploit it.”
“It could have been a lot worse,” Austin Berglas, a former assistant special agent in charge of the FBI’s New York office cyber branch, told the American newspaper. “When you have ownership of a trusted dot-gov account like that, it can be weaponised and used for pretty nefarious purposes. [The FBI] probably dodged a bullet.”
According to information from Spamhaus, a large number of fake emails were sent in two waves early on Saturday from an address on a government enterprise law enforcement portal used by many government agencies.
Some of the emails, sent on behalf of the Department of Homeland Security's cyberattack detection group, were entitled: "Urgent: Threat actor in systems”.
These emails warned recipients that they were being targeted by a "sophisticated" attack from a known racketeering gang, according to Spamhaus.
“These fake warning emails are apparently being sent to addresses scraped from ARIN [American Registry for Internet Numbers] database,” Spamhaus noted.
“They are causing a lot of disruption because the headers are real, they really are coming from FBI infrastructure. They have no name or contact information in the .sig. Please beware!”
According to Spamhaus, the hackers' goal may have been to flood the FBI with a series of phone calls, or to harm Vinny Troia, a well-known cybersecurity expert in the US to whom the fake emails referred.
The email makes reference to the international hacker group Dark Overlord, who steals data and demands ransoms, on which Troia published an investigation in 2020.
By contrast, the attack would not have endangered the other email system used by the FBI to share classified information, according to BlueVoyant, a cybersecurity firm cited by Bloomberg.
This new intrusion comes after the discovery in December of the SolarWinds attack, one of the most sophisticated ever carried out against the US federal government.