Apple and Meta provided basic subscriber
details, such as a customer’s address, phone number and IP address, in mid-2021
in response to the forged “emergency data requests.” Normally, such requests
are only provided with a search warrant or subpoena signed by a judge,
according to the people. However, the emergency requests don’t require a court
order.
Snap Inc. received a forged legal request
from the same hackers, but it isn’t known whether the company provided data in
response. It’s also not clear how many times the companies provided data
prompted by forged legal requests.
Cybersecurity researchers suspect that some
of the hackers sending the forged requests are minors located in the U.K. and
the U.S. One of the minors is also believed to be the mastermind behind the
cybercrime group Lapsus$, which hacked Microsoft Corp., Samsung Electronics Co.
and Nvidia Corp., among others, the people said. City of London Police recently
arrested seven people in connection with an investigation into the Lapsus$
hacking group; the probe is ongoing.
An Apple representative referred Bloomberg
News to a section of its law enforcement guidelines.
The guidelines referenced by Apple say that
a supervisor for the government or law enforcement agent who submitted the
request “may be contacted and asked to confirm to Apple that the emergency
request was legitimate,” the Apple guideline states.
“We review every data request for legal
sufficiency and use advanced systems and processes to validate law enforcement
requests and detect abuse,” Meta spokesman Andy Stone said in a statement. “We
block known compromised accounts from making requests and work with law
enforcement to respond to incidents involving suspected fraudulent requests, as
we have done in this case.”
Snap had no immediate comment on the case,
but a spokesperson said the company has safeguards in place to detect
fraudulent requests from law enforcement.
Law enforcement around the world routinely
asks social media platforms for information about users as part of criminal
investigations. In the U.S., such requests usually include a signed order from
a judge. The emergency requests are intended to be used in cases of imminent
danger and don’t require a judge to sign off on it.
Hackers affiliated with a cybercrime group
known as “Recursion Team” are believed to be behind some of the forged legal
requests, which were sent to companies throughout 2021, according to the three
people who are involved in the investigation.
Recursion Team is no longer active, but
many of its members continue to carry out hacks under different names,
including as part of Lapsus$, the people said.
The information obtained by the hackers
using the forged legal requests has been used to enable harassment campaigns,
according to one of the people familiar with the inquiry. The three people said
it may be primarily used to facilitate financial fraud schemes. By knowing the
victim’s information, the hackers could use it to assist in attempting to
bypass account security.
Bloomberg is omitting some specific details
of the events in order to protect the identities of those targeted.
The fraudulent legal requests are part of a
months-long campaign that targeted many technology companies and began as early
as January 2021, according to two of the people. The forged legal requests are
believed to be sent via hacked email domains belonging to law enforcement
agencies in multiple countries, according to the three people and an additional
person investigating the matter.
The forged requests were made to appear
legitimate. In some instances, the documents included the forged signatures of
real or fictional law enforcement officers, according to two of the people. By
compromising law enforcement email systems, the hackers may have found legitimate
legal requests and used them as a template to create forgeries, according to
one of the people.
“In every instance where these companies
messed up, at the core of it there was a person trying to do the right thing,”
said Allison Nixon, chief research officer at the cyber firm Unit 221B. “I
can’t tell you how many times trust and safety teams have quietly saved lives
because employees had the legal flexibility to rapidly respond to a tragic
situation unfolding for a user.”
On Tuesday, Krebs on Security reported that
hackers had forged an emergency data request to obtain information from the
social media platform Discord. In a statement to Bloomberg, Discord confirmed
that it had also fulfilled a forged legal request.
“We verify these requests by checking that
they come from a genuine source, and did so in this instance,” Discord said in
a statement.
“While our verification process confirmed
that the law enforcement account itself was legitimate, we later learned that
it had been compromised by a malicious actor. We have since conducted an
investigation into this illegal activity and notified law enforcement about the
compromised email account.”
Apple and Meta both publish data on their
compliance with emergency data requests. From July to December 2020, Apple
received 1,162 emergency requests from 29 countries. According to its report,
Apple provided data in response to 93% of those requests.
Meta said it received 21,700 emergency
requests from January to June 2021 globally and provided some data in response
to 77% of the requests.
“In emergencies, law enforcement may submit
requests without legal process,” Meta states on its website. “Based on the
circumstances, we may voluntarily disclose information to law enforcement where
we have a good faith reason to believe that the matter involves imminent risk
of serious physical injury or death.”
The systems for requesting data from
companies is a patchwork of different email addresses and company portals.
Fulfilling the legal requests can be complicated because there are tens of
thousands of different law enforcement agencies, from small police departments
to federal agencies, around the world. Different jurisdictions have varying
laws concerning the request and release of user data.
“There’s no one system or centralized
system for submitting these things,” said Jared Der-Yeghiayan, a director at
cybersecurity firm Recorded Future Inc. and former cyber program lead at the
Department of Homeland Security. “Every single agency handles them
differently.”
Companies such as Meta and Snap operate
their own portals for law enforcement to send legal requests, but still accept
requests by email and monitor requests 24 hours a day, Der-Yeghiayan said.
Apple accepts legal requests for user data
at an apple.com email address, “provided it is transmitted from the official
email address of the requesting agency,” according to Apple’s legal guidelines.
Compromising the email domains of law
enforcement around the world is in some cases relatively simple, as the login
information for these accounts is available for sale on online criminal
marketplaces.
“Dark web underground shops contain
compromised email accounts of law enforcement agencies, which could be sold
with the attached cookies and metadata for anywhere from $10 to $50,” said Gene
Yoo, chief executive officer of the cybersecurity firm Resecurity, Inc.
Yoo said multiple law enforcement agencies
were targeted last year as a result of previously unknown vulnerabilities in
Microsoft Exchange email servers, “leading to further intrusions.”
A potential solution to the use of forged
legal requests sent from hacked law enforcement email systems will be difficult
to find, said Nixon, of Unit 221B.
“The situation is very complex,” she said.
“Fixing it is not as simple as closing off the flow of data. There are many
factors we have to consider beyond solely maximizing privacy.”
SOURCE: BLOOMBERG
0 comments:
Post a Comment