Published: 11/13/2021
Earlier today, the FBI’s LEEP (Law Enforcement Enterprise Portal) was hacked and abused to send fake notification emails warning of a “sophisticated chain attack.” The email mentions an extortion gang “TheDarkOverlord” and purports that the attacker is using “fastflux technologies.” The Spamhaus project, who analyzes emails globally, has confirmed that these emails are coming from FBI/DHS. See this twitter feed: https://twitter.com/spamhaus/status/1459450061696417792
The email comes from eims@ic.fbi.gov and has been part of two waves (according to the Spamhaus project) using scraped email and contact information.
The email’s content is as follows:
Our intelligence monitoring indicates exfiltration of several of your virtualized clusters in a sophisticated chain attack. We tried to blackhole the transit nodes used by this advanced persistent threat actor, however there is a huge chance he will modify his attack with fastflux technologies, which he proxies trough multiple global accelerators. We identified the threat actor to be Vinny Troia, whom is believed to be affiliated with the extortion gang TheDarkOverlord, We highly recommend you to check your systems and IDS monitoring. Beware this threat actor is currently working under inspection of the NCCIC, as we are dependent on some of his intelligence research we can not interfere physically within 4 hours, which could be enough time to cause severe damage to your infrastructure.
Stay safe, U.S. Department of Homeland Security | Cyber Threat Detection and Analysis | Network Analysis Group
This attack seems to be using email addresses from the American Registry for Internet Numbers (ARIN) database.
As a relief to those receiving this notice, although the source is legitimate FBI/DHS servers, at least the content is fake. However, this may also be a good time to look at one’s own IT security to ensure the safety of their companies.
World Technology’s take on this: Although the attack is extremely sophisticated, and the verbiage is eloquent, the recipients of these notices don’t need to worry about this email. A cause of concern would be why the email addresses and contacts ended up in ARIN databases in the first place as they link users to companies and positions. One would want to contact ARIN and see if their information can be permanently removed from the ARIN database.