Full Report
On September 11, after posting a lengthy “Goodbye” message on BreachForums[.]hn and linking to it on Telegram, the individuals calling themselves Scattered LAPSUS$ Hunters 4.0 seemed to have some difficulty with sticking to the “going silent” part of their farewell message. In short order, they posted four screenshots suggesting that they had access to the... Source
Analysis Summary
# Incident Report: Law Enforcement Portal Access Claims by Scattered LAPSUS$ Hunters 4.0
## Executive Summary
Threat actors calling themselves "Scattered LAPSUS$ Hunters 4.0" publicly claimed unauthorized access to law enforcement portals, specifically the federal Criminal Justice Information Services (CJIS) background check service and Google's Law Enforcement Request System (LERS). While screenshots implied access, subsequent investigation by Google confirmed the creation and immediate disabling of one fraudulent account in LERS, with no data accessed or requests made. Federal agencies have not confirmed or responded to inquiries regarding access to CJIS.
## Incident Details
- Discovery Date: September 11, 2025 (Date of public claim/posting)
- Incident Date: Potentially prior to September 11, 2025 (Creation of fraudulent LERS account)
- Affected Organization: U.S. Federal Systems (CJIS) and Google (LERS portal servicing law enforcement)
- Sector: Government / Law Enforcement Support Services
- Geography: United States (Federal Systems)
## Timeline of Events
### Initial Access
- Date/Time: Claimed to have gained access prior to September 11, 2025.
- Vector: Unspecified initially, later tied to the creation of a fraudulent account within Google's LERS, and claimed access to CJIS.
- Details: Threat actors posted screenshots suggesting access to the CJIS instant background check service and LERS.
### Lateral Movement
- Not explicitly detailed in the source regarding lateral movement within the systems, beyond gaining credentials/access allowing portal access.
### Data Exfiltration/Impact
- **CJIS:** Claims made, but no confirmation of data access or exfiltration.
- **LERS:** Google confirmed one fraudulent account was created, but explicitly stated **no requests were made and no data was accessed.**
### Detection & Response
- **Detection:** Claims were brought to public attention on September 11, 2025, via posts referencing a "Goodbye" message on BreachForums[.]hn. DataBreaches submitted inquiries.
- **Response Actions:** DataBreaches contacted the FBI and Google. Google confirmed identifying and disabling the fraudulent LERS account.
## Attack Methodology
- Initial Access: Alleged creation of a fraudulent account within Google's LERS system to gain portal access. Claims regarding CJIS access vector are unconfirmed.
- Persistence: Not detailed, but the alleged unauthorized account creation in LERS suggests an attempt at persistence.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed, potentially succeeded long enough to create the fraudulent LERS account.
- Credential Access: Not detailed.
- Discovery: The actors posted screenshots to boast of access shortly after claiming to go silent.
- Lateral Movement: Not detailed.
- Collection: Unconfirmed for CJIS; the fraudulent LERS account was disabled before any requests were made.
- Exfiltration: No confirmed data exfiltration.
- Impact: Limited to the confirmed creation of one unauthorized account in LERS, which was quickly addressed.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: No confirmed PII or sensitive law enforcement data breach, based on Google's confirmation regarding LERS. CJIS scope remains unconfirmed.
- Operational: Minor operational risk reflected by the need for Google to disable a fraudulent account. Unspecified direct disruption to CJIS operations.
- Reputational: Potential temporary negative impact due to the public claims against U.S. federal systems.
## Indicators of Compromise
- **Network indicators (Defanged):** None explicitly released in the article.
- **File indicators:** Screenshots posted by the threat actors demonstrating portal views (content redacted).
- **Behavioral indicators:** Creation of a fraudulent account within Google’s Law Enforcement Request System portal.
## Response Actions
- **Containment measures:** Google identified and disabled the fraudulent account in the LERS portal.
- **Eradication steps:** Account disabled; presumed remediation of any vulnerabilities exploited for account creation.
- **Recovery actions:** None specified, beyond confirmation that no data was accessed via the compromised LERS account.
## Lessons Learned
- Threat actors are actively targeting high-value portals used by law enforcement entities (e.g., CJIS, LERS) for attention or potential future impact.
- Account lifecycle management and monitoring within sensitive portals may need bolstering, as indicated by the success in creating a fraudulent LERS account.
- Incident verification requires active engagement with affected organizations, as public claims are not always fully substantiated (LERS confirmation vs. CJIS ambiguity).
## Recommendations
- Law enforcement agencies utilizing federal systems (like CJIS) should immediately audit recent account creations and user activity logs for anomalies.
- Google/System owners should review the process that allowed the creation of the fraudulent LERS account to ensure multi-factor authentication or more stringent vetting is required for law enforcement request system access.
- Enhance monitoring for unusual activity patterns associated with known threat actor groups engaging in public shaming/boasting campaigns.