Looks like the Federal Bureau of Investigation's latest case is pretty close to home: The organization's own email network was compromised a few days ago. The hackers sent thousands of emails to system administrators, all cryptographically signed by the FBI and DHS.
And, in a meta twist, the false emails were themselves warning about a (non-existent) cybersecurity threat. That's right, just when we all thought we were completely jaded about how all-encompassing cyberthreats appeared to be, now we can't even trust FBI emails about a crime to not also be crimes themselves!
Here's how it happened, and what we can learn from the whole debacle.
How the FBI Got Hacked
The short version of what appears to have happened here is that a hacker abused an insecure code that was left accessible in an FBI online portal.
The portal, called the Law Enforcement Enterprise Portal or LEEP, lets users create a new account complete with an email confirmation sent from firstname.lastname@example.org with a one-time passcode used to verify that the new account's email address is valid. That's all typical stuff. But apparently, that one-time password was also leaked by the portal, and could be found in the web page's own HTML code. So, the hacker was able to verify themself, and also used a simple script to send the thousands of fake emails.
“Basically, when you requested the confirmation code [it] was generated client-side, then sent to you via a POST Request,” The hacker, who goes by the name Pompompurin, said in an interview. “This post request includes the parameters for the email subject and body content.”
Here's one example screenshot of a fake email:
This is an example email being sent via FBI notification. It is not real. pic.twitter.com/w6fvQrZiAF
— Kevin Beaumont (@GossiTheDog) November 13, 2021
It has a few run-on sentences and misspells “through” at one point, but it's not like those aren't mistakes that an FBI agent couldn't make. Given that the correct cryptographic signature confirms that this was indeed sent from a FBI server, any system admin would be forced to take a second look.
Hacktivism at Work?
The person who explained how the hoax worked, Pompompurin, is also claiming responsibility for it — and pretty convincingly, given that they did so with an email sent from an FBI email address.
In it, they say that they could have done a lot worse, but instead just wanted to make sure the vulnerability was patched up (while presumably gaining a little “hacked the FBI” clout in online circles in the process).
It's another example of how one missed loophole can lead to outsized cybersecurity consequences. In this case, the FBI has plenty of egg on its face. But tomorrow, another small company could be dealing with a similar data leak, and that company won't even have the power of the federal government behind them.
We always recommend password management tools, VPNs, and quality remote access software for businesses trying to stay safe with a remote workforce. But you may want to consider a few training sessions for how to mitigate an attack that has already proven successful — not every attacker out there will be nice enough to just send an email warning about a fake cybersecurity risk every time they find a real one.