Vinny Troia, the cybersecurity researcher mentioned in a fake alert gushed out to thousands of people from the FBI’s own email system on Friday night, has fingered the guy who allegedly pulled off the exploit.
Troia – white hat threat hunter, cybercrime investigator and founder of security firms Night Lion Security and its rebranded version, Shadowbyte – said in a post published Tuesday that he was contacted on Friday night by the actor who claimed responsibility, Pompompurin.
Late on Friday night, an FBI system – specifically, the Law Enforcement Enterprise Portal (LEEP) – had begun pumping out alerts about fake cyberattacks, sent from the very real FBI address eims@ic.fbi.gov. The emails went out to about 100,000 email addresses scraped from the North American Registry for Internet Numbers (ARIN) database. Given that the email headers were real, they caused “a lot of disruption,” according to Spamhaus, which initially detected the exploit.
The FBI blamed a software misconfiguration. At about the same time that the bogus warnings were being pumped out, the actor reached out to security journalist Brian Krebs with this message:
“Hi its pompompurin. Check headers of this email it’s actually coming from FBI server. I am contacting you today because we located a botnet being hosted on your forehead, please take immediate action thanks.”
On that same night, around 10 p.m. EST, Pompompurin also gave Troia a jeering heads-up, direct-messaging him on Twitter to say “Enjoy” and then following up on Saturday to see if Troia had in fact enjoyed himself. The sparse conversation is shown below in a screen capture:
“I knew immediately an attack was coming as he typically likes to (sadistically) give me a heads-up right before they stage some sort of attack on me.” Troia said in his writeup.
It turns out that Troia and Pompompurin have quite the sparring history.
The fake FBI alerts tied Troia to The Dark Overlord – a cybercriminal group that Night Lion Security had published research on in January and which it continues to investigate. “The purpose of the email was to apparently discredit Night Lion & Shadowbyte’s founder, Vinny Troia, claiming that I am a member of that group,” Troia said in his Tuesday writeup.
Troia gave what he called a brief (but hair-raising) history of his experience with Pompompurin:
“The last time this happened he sent me a message informing me that the National Center for Missing and Exploited Children posted a blog naming me as a sexual predator” he wrote. “Before that it was a heads up on a DDOS attack on our free consumer Breach Check website; before that [the actor] hacked my personal Twitter using a private API key that was stolen from our Data Viper website, in order to send out a number of childish Tweets to reporters; before that he tried to publicly frame me for the hack on Astoria company; and before that, it was something else.”
Troia thinks he knows Pompompurin’s real identity: The actor is allegedly a young man from Calgary, Canada, who was named in a July 2020 report that described him as “the alleged mastermind” behind several major cybercrime groups, including The Dark Overlord, Gnosticplayers and Shiny Hunters.
According to the report, the Canadian who’s allegedly the Pompompurin threat actor was responsible for leading groups – and engineering attacks – that were “responsible for nearly 40% of all non-credit card-related data breaches over the past 4 years.”
Innocent Until Arrested/Extradited/Proven Guilty
Keenan Skelly, CEO of ShadowByte, told Threatpost via email on Tuesday that the findings contained in the 2020 report, “Identifying Pompompurin: Attribution of the hacker behind the FBI email hoax,” have been reported to the St. Louis FBI and the Calgary Police Department.
US Congressman Luis (Lou) Correa, CA-46, (House Committee on Homeland Security, Congressional Cyber Security Caucus), confirmed to the ShadowByte team that Friday’s breach of the DHS/FBI LEEP email server could be attributed to the Calgary man. He called the breach “the latest in a long string of data breaches which evidence indicates can be attributed to one individual operating in Calgary, Canada.”
Legalities are keeping the United States from getting their hands on or extraditing him, however, the congressman said: “Unfortunately, Canadian cyber security and privacy law have made it difficult to arrest this individual, and extradite him once apprehended.”
“Since July of this year, I have been receiving research and intelligence from the leadership team at ShadowByte, a Threat Intelligence Company investigating the hacker,” Correa added. “In reviewing the details of their investigation and evidence, it is clear that we (US) must do better in our coordination with other countries for extradition of cyber crime suspects.”
He concluded by lamenting the lack of success the country has had in rooting out cybercriminals that are right on the country’s doorstep: “While recent efforts at curbing international Ransomware organizations have focused on extradition, this has been limited to Russia and China,” he said. “Meanwhile, cyber criminals in other parts of the world, much closer to our own borders, seem to have carte Blanche while they hide behind their country’s laws. My office will continue to push the importance of this on The Hill and to the White House.”
Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, “Password Reset: Claiming Control of Credentials to Stop Attacks,” on Wed., Nov. 17 at 2 p.m. ET. Brought to you by Specops.
Register NOW for the LIVE event and submit your questions ahead of time via the registration page.