Pranks are super funny when they’re pulled on the FB freaking I, right?
A suspected group of hackers gained access to an FBI email server and sent “at least” 100,000 spam messages. The emails came with the subject line “Urgent: Threat actor in systems,” which seems like it would be a pretty distressing email to get from the FBI.
The non-profit organization SpamHaus first posted about the breach, noting that the emails were sent in two waves Saturday morning. Recipients told SpamHaus that the emails were “scary.”
The emails weren’t trying to steal money or data from recipients, they were actually just a spam prank. According to Bleeping Computer’s investigation, they most likely came from a group of hackers that has a grudge against security researcher Vinny Troia, who the emails name as the likely “threat actor” referenced in the subject line.
One reason the prank is concerning is that the messages came from an actual FBI email account, originating from an FBI server and IP address. Unlike other spam that comes from an email address that’s not quite right, these came from a source that makes the messages seem legitimate. It is also pretty dang worrisome that these hackers gained access to the FBI’s systems.
However, the FBI said that the email server was isolated from the rest of the agency’s infrastructure “and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII [Personally Identifiable Information] on FBI’s network.”
The technical limit of the hack is a good thing. However, an email from an FBI email address warning of a security risk should be something people trust and take seriously. The hack undermines the agency’s authority, to say the least.
While this is perhaps the most petty use of hacking power on a federal agency, it’s certainly not the first. Notably, Russian hackers breached the networks of multiple federal systems during the Trump years to gain intelligence.
At the beginning of November, the Biden administration ordered federal agencies to basically get their sh*t together on cybersecurity, by auditing their systems and patching vulnerabilities. For the FBI, apparently, the order was too little, too late.