strange scam? email claiming to be from the fbi

• Previous message (by thread): Questions about IRR best practices
• Next message (by thread): strange scam? email claiming to be from the fbi
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I had a bit of an odd one this morning, I received two emails through 
contacts listed in whois subject: "Urgent: Threat actor in systems" from 
"eims at ic.fbi.gov".  I was all set to ignore them as an odd bit of spam 
but did a quick check on the headers and was surprised to see it had 
valid dkim and spf and was from an actual FBI IP, queue real worry 
starting.  Luckily it looks like it was a case of something being hacked 
on the FBI's end as calling they immediately knew what I was calling 
about and said they had dealt with the compromised equipment.  Further 
googling after that call shows a few more reports of this ex. 
https://twitter.com/spamhaus/status/1459450061696417792 and 
https://www.newsweek.com/fbi-email-system-reportedly-hacked-fake-dhs-cyberattack-messages-1648966 
but I'd figured to mention it here so others don't get caught quite as 
off guard.

Best guess I can come up with is it's an attempt to ruin the person 
mentioned in the email's name and/or promote the name of the mentioned 
gang.  The specifics seem off for trying to get someone swatted given if 
you thought this was real what local agency would want to storm a 
federal operation with swat agents, and if you thought this was all 
fake, then you wouldn't go either.  That or create FUD for any other 
warnings issued and distract from something else going on.


Full body of the email:

Our intelligence monitoring indicates exfiltration of several of your 
virtualized clusters in a sophisticated chain attack. We tried to 
blackhole the transit nodes used by this advanced persistent threat 
actor, however there is a huge chance he will modify his attack with 
fastflux technologies, which he proxies trough multiple global 
accelerators. We identified the threat actor to be Vinny Troia, whom is 
believed to be affiliated with the extortion gang TheDarkOverlord, We 
highly recommend you to check your systems and IDS monitoring. Beware 
this threat actor is currently working under inspection of the NCCIC, as 
we are dependent on some of his intelligence research we can not 
interfere physically within 4 hours, which could be enough time to cause 
severe damage to your infrastructure.
Stay safe,
U.S. Department of Homeland Security | Cyber Threat Detection and 
Analysis | Network Analysis Group

• Previous message (by thread): Questions about IRR best practices
• Next message (by thread): strange scam? email claiming to be from the fbi
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]