(Bloomberg) — Apple Inc. and Meta Platforms Inc., Facebook’s parent company, provided customer data to hackers posing as law enforcement officials, according to three people with knowledge of the matter.
Most read by Bloomberg
Apple and Meta provided basic subscriber data, such as a customer’s address, phone number, and IP address, in mid-2021 in response to the fake “emergency data requests.” Usually, such requests are accompanied only by a search warrant or a subpoena signed by a judge, people said. However, the emergency requests do not require a court order.
Snap Inc. received a fake legal request from the same hackers, but it’s unknown if the company provided any data in response. It’s also not clear how often the companies provided data prompted by bogus legal requests.
Cybersecurity researchers suspect some of the hackers sending the fake requests are minors in the UK and US, including Nvidia Corp., the people said. City of London Police recently arrested seven people in connection with an investigation into hacking group Lapsus$; the probe is running.
An Apple representative referred Bloomberg News to a section of its law enforcement guidelines.
The guidelines, to which Apple refers, say that a government supervisor or law enforcement official who made the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate,” the Apple statement said. policy.
“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone said in a statement. “We block known compromised request accounts and are working with law enforcement to respond to incidents of suspected fraudulent requests, as we did in this case.”
The story goes on
Snap had no immediate comment on the case, but a spokesman said the company has safeguards in place to detect fraudulent requests from law enforcement.
Law enforcement agencies around the world routinely solicit information about users from social media platforms as part of criminal investigations. In the United States, such requests usually include a signed order from a judge. The emergency calls are intended for use in the event of imminent danger and do not have to be approved by a judge.
Hackers belonging to a cybercrime group known as the “Recursion Team” are said to be behind some of the fake legal requests sent to companies throughout 2021, according to the three people involved in the investigation.
The Recursion Team is no longer active, but many of its members continue to run hacks under various names, including as part of Lapsus$, people said.
The information the hackers obtained through the fake legal requests was used to facilitate harassment campaigns, according to a person familiar with the investigation. The three people said it could be used primarily to facilitate financial fraud schemes. By knowing the victim’s information, the hackers could use it to help in attempting to bypass account security.
Bloomberg omits some specific details of the events to protect the identities of the targets.
The fraudulent legal solicitations are part of a months-long campaign targeting many tech companies, which two of the people said began back in January 2021. According to the three people and another person investigating the matter, the fake legal requests are believed to have been sent via hacked email domains owned by law enforcement agencies in multiple countries.
The fake requests were made to appear legitimate. In some cases, the documents contained forged signatures from real or fictitious police officers, according to two of the people. According to one of the people, by compromising law enforcement email systems, the hackers may have found legitimate legal requests and used them as a template to create fakes.
“In every instance where these companies have made mistakes, there was, at their core, a person trying to do the right thing,” said Allison Nixon, chief research officer at cyber firm Unit 221B. “I can’t tell you how many times trust and security teams have quietly saved lives because employees had the legal flexibility to respond quickly to a tragic situation unfolding for a user.”
On Tuesday, Krebs on Security reported that hackers forged an emergency data request to obtain information from social media platform Discord. In a statement to Bloomberg, Discord confirmed that it also complied with a fake legal request.
“We review these requests by verifying that they are from a genuine source, and in this case we have done so,” Discord said in a statement. “While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”
Apple and Meta both release data on their compliance with emergency data requests. From July to December 2020, Apple received 1,162 emergency requests from 29 countries. According to its report, Apple provided data in response to 93% of those requests.
Meta said it received 21,700 emergency requests worldwide from January to June 2021 and provided some data in response to 77% of the requests.
“In emergencies, law enforcement agencies can make requests without a trial,” Meta’s website says. “Due to the circumstances, we may voluntarily release information to law enforcement when we have a good faith belief that the matter presents an imminent risk of serious personal injury or death.”
Business data request systems are a patchwork of different email addresses and business portals. Meeting legal requirements can be complicated as there are tens of thousands of different law enforcement agencies around the world, ranging from small police departments to federal agencies. Different jurisdictions have different laws regarding the request and release of user data.
“There is no single system or centralized system for filing these things,” said Jared Der-Yeghiayan, a director of cybersecurity firm Recorded Future Inc. and former head of the Department of Homeland Security’s cyber program. “Every single agency handles them differently.”
Companies like Meta and Snap operate their own law enforcement portals to send legal requests, but continue to accept requests via email and monitor requests 24 hours a day, Der-Yeghiayan said.
Apple accepts legal requests for user information sent to an apple.com email address “provided it is submitted from the official email address of the requesting authority,” in accordance with Apple’s legal guidelines.
Compromising the email domains of law enforcement agencies around the world is relatively easy in some cases, as the credentials for these accounts are offered for sale on online criminal marketplaces.
“Underground stores on the dark web contain compromised law enforcement email accounts that could be sold for between $10 and $50 with the cookies and metadata attached,” said Gene Yoo, chief executive officer of cybersecurity firm Resecurity, Inc.
Yoo said several law enforcement agencies were targeted over the past year for previously unknown vulnerabilities in Microsoft Exchange email servers, which “led to further intrusions.”
A potential fix for using fake legal requests sent from hacked law enforcement email systems will be difficult to find, Unit 221B’s Nixon said.
“The situation is very complex,” she said. “Fixing the problem isn’t as easy as stopping the flow of data. There are many factors we need to consider beyond just maximizing privacy.”
(Updated to include recent UK arrests)
Most Read by Bloomberg Businessweek
©2022 Bloomberg LP