Full Report
Google has confirmed that hackers created a fraudulent account in its Law Enforcement Request System (LERS) platform that law enforcement uses to submit official data requests to the company [...]
Analysis Summary
# Incident Report: Fraudulent Account Creation in Google Law Enforcement Portal (LERS)
## Executive Summary
Threat actors affiliated with the "Scattered Lapsus$ Hunters" group claimed to have created a fraudulent account within Google's Law Enforcement Request System (LERS) portal. Prompt investigation by Google confirmed the creation of this unauthorized account, which was subsequently disabled. Crucially, Google reported that no data requests were made using the fraudulent credentials, and no data was accessed via this vector.
## Incident Details
- **Discovery Date:** Anticipated shortly before September 15, 2025, following claims made public by threat actors.
- **Incident Date:** Unknown, but associated with claims made public on Thursday, September 11, 2025 (implied based on context), with confirmation on September 15, 2025.
- **Affected Organization:** Google
- **Sector:** Technology/Cloud Services, Government Liaison Services
- **Geography:** Global scope, as LERS is a worldwide tool for law enforcement.
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, but prior to public claims on Thursday.
- **Vector:** Implied credential compromise or exploitation tactics related to the threat actors' ongoing activity (specifically citing social engineering/supply chain compromise methods linked to their prior Salesforce/Salesloft activities, though direct LERS access vector is not specified).
- **Details:** A fraudulent account was successfully created within the LERS platform.
### Lateral Movement
- *Not Applicable/Not Disclosed:* The incident appears to be limited to the creation of a single access account within the LERS system. No confirmed lateral movement within Google's internal network is detailed.
### Data Exfiltration/Impact
- **Impact:** Minimal. Google confirmed that **no requests were made** using the fraudulent account, and **no data was accessed**.
- **Scope:** Limited to the unauthorized creation of an account in the LERS portal.
### Detection & Response
- **Detection:** Google identified the fraudulent account and the threat actor’s public claims served as a catalyst or confirmation.
- **Response Actions:** Google stated, "We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account."
## Attack Methodology
- **Initial Access:** Unauthorized account creation in the LERS system (mechanism not fully disclosed by Google, though adjacent activity suggests social engineering/supply chain compromise might be the actor's preferred method).
- **Persistence:** N/A (The account was disabled quickly).
- **Privilege Escalation:** N/A
- **Defense Evasion:** N/A (The account was successfully created before detection).
- **Credential Access:** N/A for this specific LERS access vector, though the threat actor group has a history of credential theft via supply chain attacks (Salesloft breach).
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** N/A (No data collection occurred via this access).
- **Exfiltration:** N/A
- **Impact:** Attempts to gain the capability to access sensitive user data via official law enforcement data request channels.
## Impact Assessment
- **Financial:** Not disclosed, likely minimal due to swift containment.
- **Data Breach:** No data breach occurred related to this specific LERS compromise.
- **Operational:** Minimal disruption reported to LERS operations, though system integrity was temporarily questioned.
- **Reputational:** Minor negative publicity associated with the threat actor’s claims regarding access to sensitive government liaison tools.
## Indicators of Compromise
*As Google disabled the account immediately and no requests were executed, actionable forensic IOCs were likely neutralized rapidly. The primary indicators are **behavioral** related to the threat actor group.*
- **Network Indicators:** None explicitly provided (URLs/IPs defanged).
- **File Indicators:** None provided.
- **Behavioral Indicators:** Creation of unauthorized accounts within critical government data request portals (LERS).
## Response Actions
- **Containment measures:** The fraudulent account was immediately disabled.
- **Eradication steps:** The unauthorized access was removed.
- **Recovery actions:** Google likely audited LERS provisioning and authentication processes following the incident.
## Lessons Learned
- **Key Takeaways:** Even specialized, secure portals intended for government interfacing (like LERS) remain target vectors for sophisticated threat groups.
- **What could have been done better:** The initial access vector allowing the fraudulent account creation needs further review, especially regarding vetting of new portal users or system provisioning controls.
## Recommendations
- Implement strict multi-factor authentication (MFA) and enhanced vetting processes for all entries into the LERS portal, even for entities claiming law enforcement affiliation.
- Conduct a comprehensive audit of LERS account creation and access control mechanisms to prevent the creation of unauthorized identities, potentially leveraging threat intelligence regarding the known actors.
- Review external-facing access controls adjacent to systems used for sensitive data disclosure requests.