In November 2021, the Federal Bureau of Investigation (FBI) fell victim to an email attack in which fake emails were sent from its own domain.
The attack was described in its statement: "The FBI is aware of a software misconfiguration that temporarily allowed an actor to leverage the Law Enforcement Enterprise Portal (LEEP) to send fake emails. LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners."1
The FBI has stated that no data or personally identifiable information (PII) was breached. Given the nature of the attack, it would seem to indicate that the hacker wished to prove a point more than anything else. Though the attack appears to have been identified and remediated quickly, this incident illustrates the potential danger of misconfigured settings and the reality that even small vulnerabilities can come with ample amounts of risk—for any organization.
Cyber and Privacy Lessons Learned
There are many lessons to learn from this event, one being that no one is perfectly safe from cyber and privacy attacks. Even an elite law enforcement agency, with all its resources and talent, can have vulnerabilities that make it susceptible. With the prevalence of such attacks (and threat actors who wish to unveil issues within government agency systems, among others), committing to due diligence in practicing cyber and privacy security takes on even greater importance.
For those who were on the receiving end of the fraudulent emails, this attack is also a great example of why it is always critical to handle digital communications with caution: "The fake emails appeared to be from a legitimate FBI email address ending in @ic.fbi.gov."2 The emails that were sent seem to have been fake warnings that the recipients had been compromised. Many of us know the dangers of phishing scams, emails, or texts asking for credit card numbers or personal information. But this incident is a good reminder that fake emails are not always obvious. Even if requests seem to come from a trusted, known source, it is important to verify the sender before sending anything of value. Picking up the phone (after searching for a phone number independently rather than using any number provided in the email itself) can make all the difference.
The FBI was fairly fortunate here—it is possible that this attack could have been a lot worse given the circumstances. Data could have been breached, or more malicious emails could have been sent to the recipients. Considering the recent "Executive Order on Improving the Nation's Cybersecurity" and efforts to promote cooperation between the private and public sectors, we may continue to see attacks similar to this one, especially attacks that target government agencies. The FBI's response was immediate and included alerting recipients about the fraudulent emails, mitigating the vulnerability, and ensuring that its networks were secure.3 Its public response was forthcoming and succinct and highlighted the need to act cautiously when handling emails.
Counteracting cyber risk requires diligence and a combination of proactive and reactive strategies. With the ever-looming threat of cyber and privacy attacks, such as ransomware campaigns targeting organizations with recent large-scale financial events, thinking outside of the box in establishing your organization's personal risk profile is valuable. In a Private Industry Notification put forth by the FBI, the nature of this particular threat is described as "impending events that could affect a victim's stock value, such as announcements, mergers, and acquisitions, encourage ransomware actors to target a network or adjust their timeline for extortion where access is established."
Threat actors are always working to gather information in order to pick optimal targets, develop the best strategies, and capitalize on weakness (either technological or the "human element"). Verifying that best practices are being adhered to and establishing strong procedures for cyber security that evolve with our cyber landscape are important factors in staying ahead of the curve. One example is to check (and double-check!) that software settings are properly configured. A "set it and forget it" mentality is never going to cut it. Reactive measures should also be well-rehearsed, with communication channels being practiced prior to an event actually occurring.
As discussed in my last article, "Ransomware, National Cyber Security, and the Private Sector," simple questions should be asked to verify the existence (and application) of the best practices for cyber security. Simple steps can be taken to immediately improve an organization's security posture, but strong cultures require top-down management support and ongoing education. Learning from recent high-profile events can be especially helpful, as any organization can benefit from reviewing the elements of a "real-life" cyber-attack response.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.