strange scam? email claiming to be from the fbi

• Previous message (by thread): strange scam? email claiming to be from the fbi
• Next message (by thread): strange scam? email claiming to be from the fbi
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

https://www.washingtonpost.com/nation/2021/11/14/fbi-hack-email-cyberattack/

On Mon, Nov 15, 2021, 09:56 Glenn McGurrin via NANOG <nanog at nanog.org>
wrote:

> I had a bit of an odd one this morning, I received two emails through
> contacts listed in whois subject: "Urgent: Threat actor in systems" from
> "eims at ic.fbi.gov".  I was all set to ignore them as an odd bit of spam
> but did a quick check on the headers and was surprised to see it had
> valid dkim and spf and was from an actual FBI IP, queue real worry
> starting.  Luckily it looks like it was a case of something being hacked
> on the FBI's end as calling they immediately knew what I was calling
> about and said they had dealt with the compromised equipment.  Further
> googling after that call shows a few more reports of this ex.
> https://twitter.com/spamhaus/status/1459450061696417792 and
>
> https://www.newsweek.com/fbi-email-system-reportedly-hacked-fake-dhs-cyberattack-messages-1648966
> but I'd figured to mention it here so others don't get caught quite as
> off guard.
>
> Best guess I can come up with is it's an attempt to ruin the person
> mentioned in the email's name and/or promote the name of the mentioned
> gang.  The specifics seem off for trying to get someone swatted given if
> you thought this was real what local agency would want to storm a
> federal operation with swat agents, and if you thought this was all
> fake, then you wouldn't go either.  That or create FUD for any other
> warnings issued and distract from something else going on.
>
>
> Full body of the email:
>
> Our intelligence monitoring indicates exfiltration of several of your
> virtualized clusters in a sophisticated chain attack. We tried to
> blackhole the transit nodes used by this advanced persistent threat
> actor, however there is a huge chance he will modify his attack with
> fastflux technologies, which he proxies trough multiple global
> accelerators. We identified the threat actor to be Vinny Troia, whom is
> believed to be affiliated with the extortion gang TheDarkOverlord, We
> highly recommend you to check your systems and IDS monitoring. Beware
> this threat actor is currently working under inspection of the NCCIC, as
> we are dependent on some of his intelligence research we can not
> interfere physically within 4 hours, which could be enough time to cause
> severe damage to your infrastructure.
> Stay safe,
> U.S. Department of Homeland Security | Cyber Threat Detection and
> Analysis | Network Analysis Group
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20211115/0baab2ff/attachment.html>

• Previous message (by thread): strange scam? email claiming to be from the fbi
• Next message (by thread): strange scam? email claiming to be from the fbi
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]