Full Report
Google has confirmed that hackers created a fraudulent account in its Law Enforcement Request System (LERS) platform that law enforcement uses to submit official data requests to the company [...]
Analysis Summary
# Incident Report: Unauthorized Access to Google Law Enforcement Portal
## Executive Summary
Hackers claiming to be "Scattered Lapsus$ Hunters" created a fraudulent account within Google's Law Enforcement Request System (LERS) platform. While the group claimed broader access, Google confirmed the fraudulent account creation but asserted that no actual data requests were made, and no data was accessed through this vector. The incident highlights a potential threat vector targeting sensitive inter-agency communication systems, stemming from threat actors previously involved in widespread Salesforce data theft.
## Incident Details
- **Discovery Date:** September 15, 2025 (Date of public confirmation/reporting)
- **Incident Date:** Occurred prior to September 15, 2025 (When the fraudulent account was created)
- **Affected Organization:** Google (Law Enforcement Request System - LERS)
- **Sector:** Technology/Cloud Services (Interacting with Law Enforcement Agencies)
- **Geography:** Global (LERS serves international law enforcement)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, prior to September 15, 2025 announcement.
- **Vector:** Creation of a fraudulent management account within the LERS portal. This likely involved phishing or social engineering, based on the group's prior methods (though the exact mechanism for LERS access is unconfirmed).
- **Details:** A threat actor group calling itself "Scattered Lapsus$ Hunters" created an account in Google's LERS platform, which law enforcement agencies use to submit subpoenas and court orders.
### Lateral Movement
- **Details:** The article does not specify internal lateral movement within Google's network. The focus is on gaining unauthorized access to the specific LERS application environment.
### Data Exfiltration/Impact
- **Details:** Google stated, "No requests were made with this fraudulent account, and no data was accessed." Therefore, successful data exfiltration related to this specific LERS breach is reported as **None**.
### Detection & Response
- **How it was discovered:** Google identified the fraudulent account and disabled it.
- **Response actions taken:** The fraudulent account was immediately disabled and removed from the system.
## Attack Methodology
- **Initial Access:** Creation of a fraudulent account in the LERS platform. (Likely utilizing social engineering tactics similar to prior attacks, although not explicitly confirmed for LERS).
- **Persistence:** Not applicable; access was identified and revoked.
- **Privilege Escalation:** Not detailed in relation to LERS.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Unknown, but related to threat actors known for leveraging stolen tokens or utilizing social engineering in supply chain attacks.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown/Not applicable to the confirmed scope.
- **Collection:** No evidence of data collection via this vector.
- **Exfiltration:** No evidence of data exfiltration via this vector.
- **Impact:** Potential compromise of the integrity of the law enforcement request submission portal.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Confirmed **No data accessed or exfiltrated** via the fraudulent LERS account, according to Google.
- **Operational:** Minimal operational impact reported, as the fraudulent use was stopped before any requests were submitted.
- **Reputational:** Damage to trust in the security of the sensitive LERS platform, amplified because the threat actors also claimed access to the FBI's eCheck system.
## Indicators of Compromise
- **Network indicators:** None specified (URLs/IPs were not provided).
- **File indicators:** None specified.
- **Behavioral indicators:** Creation of an unauthorized account within the LERS administrative system.
## Response Actions
- **Containment measures:** The fraudulent LERS account was immediately disabled.
- **Eradication steps:** The unauthorized account was removed from the system.
- **Recovery actions:** Unknown, but implied verification that the system functions correctly post-removal.
## Lessons Learned
- The security posture of specialized, high-value portals (like LERS or the FBI's eCheck system) remains a critical risk area, potentially exploitable via non-traditional means like account creation exploits rooted in social engineering or weak access controls.
- Threat actors previously involved in large-scale supply chain digital extortion (Salesforce/Salesloft related actors) are actively targeting infrastructure related to US federal and international law enforcement data workflows.
## Recommendations
- Implement stricter multi-factor authentication (MFA) and identity verification processes for account provisioning/creation within sensitive portals like LERS.
- Conduct immediate audits of user provisioning logs for LERS to confirm the origin and legitimacy of all recent account creations.
- Review and enhance monitoring for anomalous account activity within law enforcement request portals, focusing on rapid detection of newly onboarded or suspicious administrative accounts.