Hacker sends spam to 100,000 from FBI email address

An apparently malicious hacker sent spam emails from an FBI email server Friday night to at least 100,000 people, an email spam watchdog group has found.

The person's motives are unknown, and it was not immediately clear the extent to which the hacker gained access to the FBI's email system. The email message was a bizarre, technically incoherent warning that made reference to cybersecurity writer Vinny Troia as well as a cybercriminal group called The Dark Overlord. Troia's company, Night Lion Security, published research on The Dark Overlord in January.

The hacker signed off as the U.S. Department of Homeland Security’s Cyber Threat Detection and Analysis Group, which hasn’t existed for at least two years.

The FBI routinely warns American companies of cyber threats targeting particular industries, or when they learn of malicious hackers trying an effective new technique. This is believed to be the first known case of a seemingly malicious actor gaining access to one of those systems to send spam to a large number of people.

The incident comes on the heels of a number of high-profile breaches of U.S. government networks in recent months, including a Russia-based attack that compromised at least nine federal agencies, and a Chinese-based hacking campaign so severe that the Cybersecurity and Infrastructure Security Agency had to issue a rare mandate for all government agencies to immediately update their software.

While it’s common for scammers to make it appear that they’re sending an email from someone else’s address, the emails’ metadata made it clear that they were sent from an FBI server, said Alex Grosjean, a researcher at the Spamhaus Project, a European nonprofit that monitors email spam.

The recipients of the emails appear to be the publicly listed administrators of websites listed on the American Registry for Internet Numbers, Grosjean said.

In an emailed statement, the FBI and Cybersecurity and Infrastructure Security Agency indicated an unauthorized person had accessed FBI infrastructure and said that the situation was ongoing.

"The FBI and CISA are aware of the incident this morning involving fake emails from an @ic.fbi.gov email account," the statement said. "This is an ongoing situation and we are not able to provide any additional information at this time. The impacted hardware was taken offline quickly upon discovery of the issue. We continue to encourage the public to be cautious of unknown senders and urge you to report suspicious activity to www.ic3.gov or www.cisa.gov."