Google representatives said that hackers created a fake account in the Law Enforcement Request System (LERS). This company platform is used by law enforcement agencies to submit official data requests.
As reported by Bleeping Computer, late last week members of the hacker groups Scattered Spider, LAPSUS$, and Shiny Hunters (who claim they have merged and now call themselves Scattered LAPSUS$ Hunters) said on Telegram that they had gained access to both Google’s LERS portal and the FBI’s data verification system — eCheck.
LERS and eCheck are used by police and intelligence agencies in various countries around the world to transmit legal requests and court orders, as well as emergency disclosure requests. Unauthorized access to these systems allowed attackers to impersonate law enforcement personnel and gain access to confidential user data.
“We determined that a fraudulent account was created in our system for law enforcement requests, and we disabled it,” a Google spokesperson told reporters. “No requests were made using this fake account. No data was accessed.”
The FBI declined to comment on the attackers’ claims.
It is noted that the hackers published screenshots of the allegedly obtained access shortly after announcing that they intended to “go dark.” Recall that earlier this year Scattered LAPSUS$ Hunters attracted considerable attention after large-scale attacks on Salesforce.
Initially, the attackers used social engineering, tricking employees into connecting the Data Loader tool to corporate Salesforce instances, which was then used for data theft and subsequent extortion.
Later, the hackers compromised Salesloft’s GitHub repository and used the Trufflehog tool to search for secrets in private source code. This allowed them to find authentication tokens for Salesloft Drift, which were used for further attacks and the subsequent mass data theft from Salesforce.
The fact is that Google Threat Intelligence (Mandiant) specialists were the first to notice what was happening, drew attention to the attacks on Salesforce and Salesloft, and warned everyone about the need to strengthen defenses.
After that, the hackers began regularly mocking the FBI, Google, Mandiant, and infosec researchers in posts on their Telegram channels.
Now, Scattered LAPSUS$ Hunters have published a long message on a domain associated with BreachForums, stating that they are ceasing their operations.
“We have decided that from now on our strength lies in silence,” the attackers wrote. “You will still see our names in reports about data leaks at dozens of multibillion-dollar companies that have not yet acknowledged the breach, as well as some government agencies, including high-security ones. But that does not mean that we are still active.”
However, cybersecurity experts who spoke to Bleeping Computer believe the group will continue conducting attacks more covertly, despite its statements about shutting down.