According to three people familiar with the situation, Apple Inc. and Meta Platforms Inc., the parent company of Facebook, supplied consumer data to hackers impersonating law enforcement authorities. In response to the fake “emergency data requests,” Apple and Meta gave user data. It was the customer’s address, phone number, and IP address, in mid-2021.
As per the report, such demands usually only get grants with a search warrant or subpoena signed by a court. The emergency demands, on the other hand, do not require a court order.
The same hackers sent a bogus legal request to Snap Inc., but it’s unclear whether the firm responded with data. It’s also unclear how many times the companies released information in response to fictitious court requests.
Lapsus$
Cybersecurity experts believe that some of the hackers who sent the bogus requests are youngsters from the UK and the USA. According to the experts, one of the minors is also suspected of being the brains behind the cybercrime group Lapsus$. It has attacked Microsoft Corp., Samsung Electronics Co., and Nvidia Corp., among others. 7 people were recently arrested by the City of London Police in connection with an investigation into the Lapsus$ hacking gang; the investigation is still ongoing.
Bloomberg News was directed to a portion of Apple’s law enforcement standards by an Apple representative. According to Apple’s standards, a government or law enforcement official submitted the request. Thereby, saying “maybe contacted and asked to confirm to Apple that the emergency request was legitimate”.
“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone said in a statement.
“We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”
Snap did not respond to a request for comment on the matter right away. But a representative said the firm had protections in place to detect fake law enforcement demands. As part of criminal investigations, law enforcement agencies around the world often seek social media networks for information on users. In the US, such requests are normally accompanied by a judge’s signed order. The emergency requests are meant to be utilized in circumstances of impending danger. They do not require the approval of a court.
Recursion Team
According to three people involved in the inquiry, hackers linked with a cybercrime gang known as the “Recursion Team”. They are suspected of being behind some false legal petitions that were made to companies in 2021. The Recursion Team has ceased to exist. But many of its members continue to carry out hacks under different names, including as part of Lapsus$, the people said.
According to one of the people acquainted with the investigation, the information gathered by the hackers via false legal requests was utilized to facilitate harassment operations. It might be largely useful to promote financial fraud operations, according to 3 people. The hackers may exploit the victim’s information to help them bypass account security if they knew it.
To protect the identities of the people targeted, Bloomberg is likewise concealing some particular details of the events.
According to 2 people, the phony legal requests are part of a months-long campaign. It began in January 2021 and targeted various IT companies. According to one of them, the hackers may have found valid legal requests by hacking into law enforcement email systems. They were using them as a template to generate forgeries.
“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,” said Allison Nixon. Nixon is the chief research officer at the cyber firm Unit 221B. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.”
Discord
Hackers falsified an emergency data request to collect information from the social media network Discord, according to Krebs on Security on Tuesday. Discord confirmed in a statement to Bloomberg that it had also complied with a bogus legal order.
“We verify these requests by checking that they come from a genuine source, and did so in this instance,” Discord said in a statement. “While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”
“Every single agency handles them differently”
Apple and Meta both post information about how they respond to emergency data demands. Apple received 1,162 emergency requests from 29 countries between July and December 2020. According to the research, Apple responded to 93 percent of the requests with data.
From January to June 2021, Meta also said it received 21,700 emergency requests worldwide. It responded to 77% of them with data.
“In emergencies, law enforcement may submit requests without legal process,” Meta also states on its website. “Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good-faith reason to believe that the matter involves imminent risk of serious physical injury or death.”
Companies’ data request systems are a patchwork of multiple email addresses and company portals. There are tens of thousands of different law enforcement agencies around the world. Thus, ranging from small police departments to federal agencies, fulfilling legal requests can be difficult. The regulations governing the request and release of user data differ by jurisdiction.
“There’s no one system or centralized system for submitting these things,” said Jared Der-Yeghiayan. He is a director at cybersecurity firm Recorded Future Inc. and former cyber program leader at the Department of Homeland Security. “Every single agency handles them differently.”
Companies like Meta and Snap have their legal request platforms. But they still receive requests by email and monitor them 24 hours a day, according to Der-Yeghiayan.
Complex situation
Apple likewise accepts legal requests for user data at an apple.com email address, “provided it is transmitted from the official email address of the requesting agency,” according to Apple’s legal guidelines.
The login information for these accounts is also accessible for sale on internet criminal marketplaces. Hence, making it extremely easy to compromise the email domains of law enforcement around the world.
“Dark web underground shops contain compromised email accounts of law enforcement agencies, which could be sold with the attached cookies and metadata for anywhere from $10 to $50,” said Gene Yoo. Yoo is the chief executive officer of the cybersecurity firm Resecurity, Inc.
According to Yoo, previously unknown vulnerabilities in Microsoft Exchange email servers were useful to target numerous law enforcement agencies last year, “leading to further intrusions.”
According to Nixon of Unit 221B, a feasible solution to the use of falsified legal demands made from stolen law enforcement email systems will be tough to identify.
“The situation is very complex,” she also says. “Fixing it is not as simple as closing off the flow of data. There are many factors we have to consider beyond solely maximizing privacy.”