Cybercrime Group Accesses Google Law Enforcement Request System (LERS)
Google has confirmed that a cybercrime group, known as Scattered Lapsus$ Hunters, gained access to its Law Enforcement Request System (LERS) platform by creating a fake account. The group claimed on Telegram to have obtained access to not only Google's LERS but also the FBI's eCheck background check system.
The Google Law Enforcement Request System is a secure online portal for verified government agencies to submit and track legal requests for user data. It enables law enforcement to request information from Google while ensuring compliance with proper legal processes. Recently, the cybercrime group "Scattered Lapsus$ Hunters" claimed on Telegram to have obtained access to Google's LERS platform and the FBI's eCheck background check system.
"We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account. No requests were made with this fraudulent account, and no data was accessed," said Google in a statement to media outlets.
The tech giant pointed out that the attackers made no requests using the fraudulent account, and it also stressed that no data was accessed. However, unauthorized access to Google's LERS could expose user data, compromise investigations, enable fraudulent requests, and damage trust.
Breaches of the FBI's eCheck system risk theft of personal and criminal records, identity fraud, manipulation of background checks, and national security threats. Both systems' sensitivity makes strong safeguards essential to protect privacy, data integrity, and institutional trust.
In a series of attacks, the group used social engineering tactics to trick employees into linking Salesforce Data Loader to corporate accounts, enabling data theft and extortion. They later breached Salesloft's GitHub repo, scanned code with Trufflehog, and found Drift authentication tokens, which they exploited to launch further Salesforce data theft attacks.
Salesforce data theft attacks impacted major customers like Allianz Life, Google, Zscaler, Cloudflare, Qantas, and Palo Alto Networks. The group's actions demonstrate the devastating consequences of a single cyberattack on multiple organizations.
In a farewell message posted on BreachForums[.]hn, the group announced that they were going dark, stating "Vanity is never but an ephemeral triumph. And manipulation of opinion is never anything else than vanity. This is why we have decided that silence will now be our strength."
The group's actions serve as a reminder of the importance of robust security measures and the need for strong safeguards to protect sensitive information and prevent future breaches.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon