To hack an FBI email system, it takes a lot of motivation, even more technical skill, and, perhaps, a dash of humor.
Over the weekend, someone—or a team of someones—compromised an FBI email system and sent out a flurry of bogus messages to state and local law enforcement about a supposed cyberattack. But instead of trying to wreak havoc, the purpose of the hack seems to have been to troll one particular information security executive: Vinny Troia, the founder and head of security research at Shadowbyte.
At least, that’s Troia’s version.
The tale turns out to involve a number of mysterious characters, including Troia, a hacking collective that’s been going after the likes of Netflix and Montana schools, and someone that goes by the online alias of “Pompompurin.”
As of Wednesday, the FBI hadn’t confirmed Troia’s suspicions about why he was named in the email, and it didn’t respond to a request for comment for this story. What isn’t disputed, however, is that someone accessed an FBI email system and sent a message pinning a cyberattack that didn’t happen on Troia.
“We identified the threat actor to be Vinny Troia, whom [sic] is believed to be affiliated with the extortion gang TheDarkOverlord. We highly recommend you to check your systems,” the hacker wrote in the duped messages. “Stay safe.”
TheDarkOverlord, an extortion-focused hacking collective, has run hacking schemes that have garnered headlines around the nation in recent years—the collective is behind the attack against Netflix in 2017, when it leaked Orange Is the New Black episodes before airing. It’s the same collective that has been hitting health care organizations for years, and a group by the name TheDarkOverlord Solutions, suspected to be the same collective, which ran an extortion scheme against schools in Montana, while issuing a healthy dose of death threats and ominous references to school shootings.
Troia, whose company recently rebranded to Shadowbyte from Night Lion Security, published a report in July 2020 detailing what he claims are the identities of the members and puppeteers of TheDarkOverlord hacking collective. And he told The Daily Beast that he believes the hacker behind the fake FBI email is somehow linked with TheDarkOverlord. His theory is they named him in the message as revenge for exposing members of their collective.
For now, Troia’s story remains unconfirmed. He published a blog post about his suspicions Tuesday that does not confirm with certainty who was behind the attack.
But Troia has been known to fudge the reality of events in previous hacking incidents. In a recent publication, Troia admitted he staged a hack against his own site, and then bragged about it on a cybercrime forum, ostensibly to see which criminals clamored for more. He has also attempted to sell leaked data on a cybercrime forum, only to claim he later didn’t really intend to sell it, according to investigative reporter Brian Krebs.
This time, however, there appears to be some credence to Troia’s story about the FBI hack.
For one, Krebs reports that a hacker that goes by the alias “Pompompurin” told him in an interview this week that they were behind the FBI compromise and the fake emails. The hacker claimed they discovered a poorly set up email system and then sent the messages to spread awareness about the misconfiguration so the FBI could fix it.
It’s unclear who runs the Pompompurin alias—Pompompurin did not return a request for comment—but Troia does have a long-standing rivalry with this Pompompurin.
Troia and the alias send barbs back and forth over Twitter with frequency. Troia says Pompompurin has accused Troia of being a pedophile. And Troia has claimed Pompompurin previously hacked his Twitter account to send out explicit, sexual messages to his contacts.
Regardless of who took over the FBI email system briefly this weekend, the entire incident has left cybersecurity pros and law enforcement officials scratching their heads at why whoever is behind the incident didn’t take advantage of their access to the FBI email to issue more damaging fake messages.
For instance, they could have laced the legitimate-looking emails with malware or malicious attachments that could have compromised the FBI’s trusted partners. And yet, the emails didn’t appear to contain any malware, and were likely not aimed at this kind of broader hacking campaign, according to Spamhaus, a non-profit that tracks spam and digital threats. Instead, the hacker or hackers behind this operation appeared to just be messing around, Carel Bitter, the head of data at Spamhaus, told The Daily Beast.
“There are far, far worse things you could do than this. If you have this, you say, ‘I’m just going to have fun with it?’ That’s just a big middle finger,” said Bitter, whose group first caught onto the bogus message flurry. “They made the FBI look bad. Using something like that for something that’s sort of a joke like this is quite brazen.”
The fact that the hacker or hackers didn’t lace any malware or malicious attachments in the messages indicates they could have just stumbled across the misconfiguration and decided to take advantage to gain a name for themselves in the underground forums, where showing you’re capable of hitting high-value targets earns street cred, said Austin Berglas, the former chief of the FBI’s New York Office Cyber Branch.
In Berglas’ telling, the hackers could be looking to say, “‘Hey guys we’re the group responsible for compromising the FBI unclass email,’ and use that to elevate their status on the forums.”
“It would have been very, very easy for someone to load up that email that went out with malicious attachments and own hundreds of thousands of additional accounts,” Berglas added.
But the move—hacking for shits, giggles, and maybe personal vendettas—is a bit unusual these days. The age of cybercriminals just hacking to play pranks has been on a bit of a downturn in recent years.
”I think the ‘lols’ and the jokey, doxxing type has really reduced also because a lot of the splinter cells and the collectives… have not been as proliferating,” added Berglas, who investigated one of the most prominent groups, Lulzsec, which hacked websites to embarrass them.
Making a big show of it is one way for the hacker or hackers behind the operation “to say, ‘look I exploited weak code in the portal, I got in there and I didn’t use it to its fullest capacity. I just used it as a way to send out a silly message. And oh, by the way, that’s because I can get into anything,’” Berglas told The Daily Beast. “Hackers do that… just to show they can.”
The FBI, for its part, did issue a statement over the weekend about the breach, noting it was “aware of a software misconfiguration that temporarily allowed an actor to… send fake emails.”
“Once we learned of the incident we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks,” the FBI said.