Recap: In 2022, hackers infamously stole user data by tricking companies with compromised law enforcement credentials. A recent FBI bulletin warns that the threat posed by this tactic has since intensified, recommending various precautions for tech companies to verify subpoenas that appear to originate from U.S. or foreign government sources.
According to the FBI, malicious actors are increasingly targeting government and law enforcement emails, using them to obtain sensitive information by sending fraudulent emergency data requests (EDRs) to tech companies. While users should always maintain strong cybersecurity practices, robust data policies are even more critical for officials and companies, which are often targeted as weak links.
Although companies like Apple, Meta, and PayPal typically require a court order before surrendering data to law enforcement, they may make exceptions in urgent situations.
Hackers have begun exploiting this exception by stealing law enforcement and government email credentials from multiple countries and gaining access to their EDR subpoena templates.
The FBI cites multiple incidents and increased chatter about this tactic in online hacker communities, spanning roughly from August 2023 to August 2024.
One cybercriminal claimed to sell EDR forgery tutorials for $100, while another advised that compromised .gov email addresses could be used for malware and phishing attacks to further infiltrate the government sector.
In recent cases, claimed to control government credentials from over 25 countries, including the U.S. They could leverage these email addresses for social engineering, espionage, extortion, or forged EDRs – and have shared techniques with others to carry out similar attacks.
A known cybercriminal provided a template for submitting an EDR to PayPal in March 2024. PayPal reported receiving and rejecting a legal assistance request related to a child trafficking case. Although the hacker included legitimate-looking a case number and legal code, the FBI notes that such details, while potentially deceptive, can also aid in verifying requests.
The FBI recommends that companies handling EDRs take precautions, such as scrutinizing documents for forged elements, contacting the issuing authorities for verification, and matching included legal codes with appropriate government agencies. For example, a non-U.S. law enforcement agency would not send a U.S. subpoena or an EDR with language copied verbatim from U.S. law.
The FBI bulletin also emphasizes standard cybersecurity measures, including strong password policies and vigilant monitoring of third-party hardware and software. Notably, it suggests that companies should avoid forcing password changes more than once annually, except in the event of a security breach.