Apple and Meta disclosed User Information to Hackers who used Forged Legal Requests

In response to the forged “emergency data requests,” Apple and Meta provided basic subscriber details such as a customer’s address, phone number, and IP address in mid-2021. According to the people, such requests are normally only granted with a search warrant or subpoena signed by a judge. The emergency requests, on the other hand, do not necessitate a court order.

Snap Inc. received a forged legal request from the same hackers, but it is unclear whether the company responded with data. It’s also unclear how many times the companies provided information in response to forged legal requests.

Researchers suspect that some of the hackers sending the forged requests are minors from the United Kingdom and the United States. According to the people, one of the minors is also thought to be the mastermind behind the cybercrime group Lapsus$, which hacked Microsoft Corp., Samsung Electronics Co., and Nvidia Corp., among others. The City of London Police recently arrested seven people in connection with an ongoing investigation into the Lapsus$ hacking group.

Apple and Meta Disclosed User Information to Hackers

Bloomberg News was directed to a section of Apple’s law enforcement guidelines by an Apple representative. According to the Apple guidelines, a supervisor for the government or law enforcement agent who submitted the request “may be contacted and asked to confirm to Apple that the emergency request was legitimate.”

“We review every data request for legal sufficiency and use advanced systems and processes to validate law enforcement requests and detect abuse,” Meta spokesman Andy Stone said in a statement. “We block known compromised accounts from making requests and work with law enforcement to respond to incidents involving suspected fraudulent requests, as we have done in this case.”

Snap did not respond immediately to the case, but a spokesperson said the company has safeguards in place to detect fraudulent law enforcement requests.

As part of criminal investigations, law enforcement around the world routinely requests information about users from social media platforms. In the United States, such requests are typically accompanied by a signed order from a judge. The emergency requests are intended to be used in cases of impending danger and do not require the approval of a judge.

According to three people involved in the investigation, hackers affiliated with a cybercrime group known as the “Recursion Team” are suspected of being behind some of the forged legal requests sent to companies throughout 2021.

The Recursion Team is no longer active, but many of its members continue to hack under different names, including as part of Lapsus$, according to the people.

According to one person familiar with the investigation, the information obtained by the hackers through the forged legal requests was used to enable harassment campaigns. According to the three people, it could primarily be used to facilitate financial fraud schemes. By knowing the victim’s information, the hackers could use it to help them circumvent account security.

In order to protect the identities of those targeted, Bloomberg is withholding some specific details about the events.

According to two of the people, the fraudulent legal requests are part of a months-long campaign that targeted many technology companies and began as early as January 2021. According to the three people and one additional person investigating the matter, the forged legal requests are believed to have been sent via hacked email domains belonging to law enforcement agencies in multiple countries.

The forged requests were disguised as legitimate. According to two of the people, the documents contained forged signatures of real or fictional law enforcement officers in some cases. According to one of the people, the hackers may have found legitimate legal requests and used them as a template to create forgeries by compromising law enforcement email systems.

“In every instance where these companies messed up, at the core of it there was a person trying to do the right thing,” said Allison Nixon, chief research officer at the cyber firm Unit 221B. “I can’t tell you how many times trust and safety teams have quietly saved lives because employees had the legal flexibility to rapidly respond to a tragic situation unfolding for a user.” 

Krebs on Security reported on Tuesday that hackers had forged an emergency data request in order to obtain information from the social media platform Discord. Discord confirmed in a statement to Bloomberg that it had also fulfilled a forged legal request.

“We verify these requests by checking that they come from a genuine source, and did so in this instance,” Discord said in a statement. “While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”

Apple and Meta both publish information about their responses to emergency data requests. Apple received 1,162 emergency requests from 29 countries between July and December 2020. According to the report, Apple responded to 93 percent of those requests with data.

From January to June 2021, Meta said it received 21,700 emergency requests worldwide and responded to 77 percent of them with data.

“In emergencies, law enforcement may submit requests without legal process,” Meta states on its website. “Based on the circumstances, we may voluntarily disclose information to law enforcement where we have a good faith reason to believe that the matter involves imminent risk of serious physical injury or death.”

The systems for requesting data from businesses are a mishmash of various email addresses and company portals. Fulfilling legal requests can be difficult because there are tens of thousands of different law enforcement agencies around the world, ranging from small police departments to federal agencies. Laws governing the request and release of user data vary by jurisdiction.

“There’s no one system or centralised system for submitting these things,” said Jared Der-Yeghiayan, a director at cybersecurity firm Recorded Future Inc. and former DHS cyber program lead. “Every single agency handles them differently.”

Companies like Meta and Snap have their own portals for law enforcement to send legal requests, but they still accept requests by email and monitor them 24 hours a day, according to Der-Yeghiayan.

According to Apple’s legal guidelines, Apple accepts legal requests for user data at an apple.com email address “provided it is transmitted from the official email address of the requesting agency.”

Compromise of law enforcement email domains around the world is relatively simple in some cases, as login information for these accounts is available for sale on online criminal marketplaces.

“Dark web underground shops contain compromised email accounts of law enforcement agencies, which could be sold with the attached cookies and metadata for anywhere from $10 to $50,” said Gene Yoo, chief executive officer of the cybersecurity firm Resecurity, Inc. 

Yoo said multiple law enforcement agencies were targeted last year as a result of previously unknown vulnerabilities in Microsoft Exchange email servers, “leading to further intrusions.”

According to Nixon of Unit 221B, a potential solution to the use of forged legal requests sent from hacked law enforcement email systems will be difficult to find.“The situation is very complex,” she said. “Fixing it is not as simple as closing off the flow of data. There are many factors we have to consider beyond solely maximizing privacy.”

Also Checkout: How to Boot Android 12L on your x86 PC