- Cybercriminals created a fraudulent account on Google’s Law Enforcement Request System
- No user data was accessed, but the breach raises concerns about flaws in Google’s approval process
- The group behind the incident, Scattered Lapsus$ Hunters, is linked to major recent data breaches and went “dark” shortly before posting the screenshot
Cybercriminals managed to get their own account on the Google Law Enforcement Request System (LERS) platform, the search engine giant confirmed to the media earlier this week.
Recently, threat actors going by “Scattered Lapsus$ Hunters” posted a new screenshot in their Telegram channel, allegedly showing an automated confirmation email from Google.
“Google has created a new Law Enforcement Request System (LERS) account for you,” the screenshot says.
Disabled the account
LERS is a secure online portal that Google provides specifically for verified law enforcement agencies. Through it, the police can submit requests for user data, such as subpoenas, court orders, or search warrants. Through this system, authorized officers can upload documents, monitor the status of their requests, and download the sensitive data.
To gain access to LERS, one must be pre-approved by Google. Simply having an agency email address won’t suffice - they need to be added to Google’s approved list, which raises the question - how did the criminals do it? Either Google’s approval system is flawed, or crooks somehow managed to impersonate law enforcement personnel.
After news broke, BleepingComputer reached out to both Google, and the FBI, and while the latter declined to comment, Google confirmed the cybercriminals’ claims:
"We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account," Google told the publication. "No requests were made with this fraudulent account, and no data was accessed."
Scattered Lapsus$ Hunters is a threat actor created after three groups - Scattered Spider, Lapsus$, and ShinyHunters - merged into one. The group is suspected to be behind some of the biggest data breaches this year, including the Drift AI/Salesloft incident that affected dozens of large tech companies.
Mere days before posting this screenshot, the group announced it was “going dark”, which some threat actors interpreted as a sign of fear over the impending consequences of the recent attacks.
Via BleepingComputer
You might also like
- Salesforce platforms are being cracked open for data theft - FBI warns of UNC6040 and UNC6395 IOCs
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
