Energy Department patched flaws enabling email impersonation in critical minerals system

The Energy Department recently fixed an identity verification flaw in a portal supporting its critical minerals programs after a security researcher found the system allowed outside users to register with email addresses that appeared to belong to the department.

According to the researcher, Ronald Lovelace, the portal linked to the Office of Critical Minerals and Energy Innovation had allowed users to register or operate accounts that appeared to be associated with legitimate Energy Department email addresses without properly verifying ownership of those accounts.

The vulnerabilities could have let cyberspies present themselves as Energy officials within the system, potentially misleading researchers, contractors or other top officials who use the platform for program-related communications.

Officials have repeatedly described critical minerals work as economically and strategically sensitive. This particular Energy Department office coordinates efforts to secure domestic supplies of minerals essential to energy technologies and advanced manufacturing, while supporting research and funding initiatives aimed at strengthening U.S. supply chains.

“DOE investigates and remediates all vulnerabilities disclosed through the vulnerability disclosure program (VDP). We do not comment on specific vulnerabilities or their impact on the DOE mission,” an Energy spokesperson said in a statement after publication.

The agency publicly credited Lovelace in its vulnerability disclosure acknowledgments. The exposures have not been previously reported, and there is no evidence that they were exploited.

In an interview, Lovelace said he used a standard reconnaissance method called subdomain enumeration to uncover the verification flaw. By mapping the government site’s infrastructure through publicly available domain and directory listings, he was able to identify the underlying systems of the portal and spot the weaknesses in its identity verification process. The technique is commonly used to map an organization’s digital footprint and identify accessible web assets.

Screenshots provided by Lovelace show him setting up an email account dubbed “admin@energy[.]gov” and using it to send emails. He only sent test emails to himself and to Energy Department IT staff to validate the issues for them.

“This domain enumeration is killing everybody,” Lovelace said, referring to how he sees many organizations’ web structure “overexposed” while performing security work. 

He said the risk is amplified because recipients and security teams are more inclined to trust email addresses that look authentic, particularly in this case, which involved a portal supporting strategically important government programs. 

“Once an email is received and signed by a department’s own digital signature, that creates a unique caveat for burden of proof,” he wrote in a memo describing his findings to Nextgov/FCW.

The flaw underscores how even a limited impersonation capability could be used to extract nonpublic information. An adversary with access to an email appearing to be legitimate could request internal documents, direct recipients to malicious attachments or insert themselves into ongoing program discussions without suspicion.

“This should be a wake up call for every government agency. When adversaries can enumerate federal domains, map critical digital infrastructure and impersonate senior officials without ever breaching a network, the attack surface has fundamentally shifted,” said Jordan Burris, a former White House cybersecurity official and current head of public sector business at digital identity company Socure.

“The impact of identity verification exploits to sensitive federal initiatives threatens mission continuity, public trust, and national security,” he added. “This is the early signal of a darker chapter in cyber risk. Identity trust is essential and the government must move faster than the adversaries seeking to exploit it.”

The Department of Homeland Security’s 2025 Homeland Threat Assessment warns that critical minerals are a prime interest to foreign adversaries. 

Critical minerals serve as vital components in areas like advanced batteries, defense systems and energy technologies. This month, the Trump administration launched Project Vault, a $12 billion stockpile intended to bolster U.S. critical mineral supply. Washington has also zeroed in on minerals business deals in several African nations in an effort to outcompete China in that area.

Editor's note: This article has been updated to include comment from Energy.