According to three people familiar with the matter, Apple Inc. and Meta Platforms Inc. (the parent company of Facebook) provided customer data to hackers pretending to be law enforcement officers.
Meta and Apple provided basic subscriber information, including a customer’s address and phone number, to respond to the “emergency data request” in mid-2021. This was in response to the forgery. However, such emergency requests don’t require a court order.
Snap Inc. was sent a fake legal request by the hackers. However, it’s not known if Snap Inc. provided any data as a response. It is also unclear how many times companies responded to forged legal requests.
A representative from Apple referred Bloomberg News to a section in its law enforcement guidelines, as a response to a request to comment.
Apple’s guidelines state that an Apple representative can contact the supervisor of the government or law enforcement agency who made the request to confirm that it was legitimate.
Andy Stone, Meta spokesperson, stated that every data request is reviewed for legal sufficiency. He also uses advanced systems and processes in order to validate law enforcement requests and detect abuse. “We block compromised accounts from making requests and we work with law enforcement in responding to incidents involving suspected fraudulent request, like we did in this case.”
Snap did not immediately comment on the matter, however, a spokesperson stated that the company had safeguards in place to detect fraud requests from law enforcement.
As part of criminal investigations, law enforcement agencies around the globe routinely request information from social media platforms. These requests are usually accompanied by a signed order from the judge in the United States. These emergency requests can be used when there is imminent danger. A judge does not have to sign it.
According to three individuals involved in the investigation, hackers associated with the cybercrime group “Recursion Team”, are thought to be behind some of these forged legal requests that were sent to companies across 2021.
According to cybersecurity researchers, some hackers are sending forged requests from minors in the U.K. or the U.S.
Recursion Team has ceased to be active but some of its members still carry out hacks as part of Lapsus$.
According to one person familiar with the inquiry, the hackers used the information to launch harassment campaigns. It could be used to aid financial fraud schemes, according to the three individuals. Hackers could gain access to the victim’s data to aid in bypassing account security.
Bloomberg will not disclose certain details in order to protect identities of those who were targeted.
According to two people, the fraudulent legal requests were part of a long-running campaign targeting many technology companies that began in January 2021. According to three of the people involved in the investigation, the forged legal documents were sent via hacked email domains that belonged to law enforcement agencies from multiple countries.
These forged requests were created to look legitimate. Two people said that the documents contained forged signatures of fictional or real law enforcement officers in some cases. According to one person, hackers could have used law enforcement email systems to compromise legitimate legal requests to create forgeries.
Allison Nixon, chief researcher at cyber company Unit 221B, stated that “in every instance when these companies messed it up, the core of the matter was someone trying to do right thing.” “I cannot tell you how many lives have been saved by safety and trust teams because users had the legal freedom to quickly respond to tragic situations.”
Krebs on Security reported Tuesday that hackers had created an emergency request for information to access Discord’s social media platform. Discord also confirmed to Bloomberg that it had fulfilled a forgery legal request.
Discord stated in a statement that it verified the requests and confirmed they were from a legitimate source. “While we verified that the law enforcement account was genuine, we discovered that it had been compromised later by a malicious actor. We have now conducted an investigation into the illegal activity and notified law enforcement regarding the compromised email account.
Meta and Apple both publish data about their compliance with emergency requests. Apple received 1,162 requests for emergency data from 29 countries between July and December 2020. Apple responded to 93% of these requests, according to the report.
Meta stated that it received 21700 urgent requests worldwide between January and June 2021. It also provided data to 77% of these requests.
Meta’s website states that “In an emergency, law enforcement may submit a request without legal process.” “Based on the facts, we may voluntarily reveal information to law enforcement if we have a good-faith reason to believe that there is an imminent risk of serious bodily injury or death.”
There are many different email addresses and portals that can be used to request data from companies. It can be difficult to fulfill legal requests because of the many law enforcement agencies around the globe. These agencies range from small police departments to large federal agencies. Different laws apply to the release and request of user data.
Jared Der-Yeghiayan is a cybersecurity director at Recorded Future Inc., and a former cyber program leader at the Department of Homeland Security. They are handled differently by each agency.
According to Der-Yeghiayan, companies such as Snap have their own portals that allow law enforcement to send requests. However, they still accept emails and monitor requests 24 hour a day.
Apple will accept legal requests for user data via an apple.com email address “provided it’s transmitted from the official address of the requesting agency,” according Apple’s legal guidelines.
It is possible to compromise the email domains used by law enforcement agencies around the globe. The login information is easily sold on online criminal marketplaces.
“Dark web underground stores contain compromised email addresses of law enforcement agencies, and could be sold with the associated cookies and metadata anywhere from $10 to $50,” stated Gene Yoo, chief executive of cybersecurity firm Resecurity, Inc.
Yoo stated that multiple law enforcement agencies were attacked last year due to previously unknown vulnerabilities in Microsoft Exchange email servers. This “led to further intrusions.”
Nixon of Unit 221B said that it will be difficult to find a solution for the use of forged requests sent via hacked email systems to law enforcement officials.
She said that the situation was very complicated. It is more complicated than simply stopping data flow. We must consider other factors than privacy maximization.
