November 18, 2021

What We Can Learn From the FBI Email Hack

Bones Ijeoma

CEO and co-founder

An attacker was able to access the FBI's email server and send thousands of faked emails from it. Here’s what we can learn from the incident.

Last week, the Federal Bureau of Investigation (FBI) confirmed that an attacker was able to access their email server and send thousands of faked emails from it. The emails were spammed to at least 100,000 people and falsely warned recipients that they had fallen victim to a cyberattack.

The FBI Statement on Incident Involving Fake Emails, which was updated on November 14, 2021, reads:

The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners. While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident, we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.

KrebsOnSecurity was contacted by the alleged perpetrator of the spam attack, who told them, “I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc.” The hacker claimed to have done it to expose flaws in the FBI’s system. It also appears that the attacker attempted to defame or at least troll cybersecurity researcher, Vinny Troia, who was named in the fake emails as the “threat actor.”

Lessons Learned

There are a few things we can learn from the incident:

  • Invest in multi-layered security like AllSafe IT’s Safe Total. Attackers will look for any way into your systems. The FBI spam attacker was able to gain access through a vulnerability in their website. Make sure you have defensive measures in place at all levels including computers, servers (including cloud servers), mobile devices, wireless access points, firewalls, and websites.
  • Put your security plan to the test. Invest in penetration testing to identify any vulnerabilities and strengthen your security posture. You don’t want to wait for someone like the FBI’s attacker to expose these weaknesses first.
  • Sometimes checking the email headers isn’t enough. Security Awareness Training tells us to check email headers before responding to or clicking on an email that seems suspicious. While this is solid advice, in this case, since the hacker was able to access the FBI’s email server, checking the email headers wouldn’t have helped as the emails were actually from the FBI’s system.
  • Verify unusual or significant requests over the phone. If in doubt, pick up the phone and call the alleged sender to verify if they sent the request. Make sure to use a phone number you trust and not a number listed in the email.

About AllSafe IT

AllSafe IT is an IT services, consulting, and IT support firm with a dedicated, certified team of technology experts with a client base spanning a wide range of industries. In today's ultra-competitive world, businesses who don't utilize the full potential of their IT systems often fall behind their competitors - which can ultimately lead to failure. Our services are custom tailored to ensure that your business not only survives, but thrives.