Every day, law enforcement response teams (LERT) within corporations do their best to respond to...
Law Enforcement Data Requests: The Supply Chain Vulnerability Nobody’s Talking about
Law enforcement and government agencies have always been an attractive target for criminal hackers. By stealing and using their credentials or spoofing government domains, criminals obtain a perception of authenticity that helps them social engineer businesses. Unfortunately, there has been an upward trend in public sector targeting for some time. A 2022 report from Lookout analyzed mobile data specific to federal state and local government entities, and found that almost 50% of phishing attacks aimed at government personnel in 2021 specifically sought to steal credentials, up from 30% in 2020.
In 2024, law enforcement will become an even more attractive target, as threat actors gain awareness of the historical vulnerabilities that enterprises often overlook surrounding law enforcement requests for information. Business email compromise has long been a fan favorite for scammers to defraud their targets of money, information, data etc. and when bad actors learn that the only defense an enterprise has in this area is “good faith,” they see a target ripe for exploitation.
Here are the key factors influencing the potential for an increase in attacks on law enforcement, and how to prepare and protect your organization.
1. Global threat actors are teaming up to target large corporations, governments and law enforcement.
The bad guys have figured out that there is power in numbers - and opportunity for financial gain. By collaborating with other threat actors, criminal hacking groups can learn from one another, broaden their reach to sell stolen data, build their reputations, and recruit employed individuals with classified access or direct agency knowledge to build insider threat capabilities. The mafia-inspired Five Families consortium is just one example, but there are others. These groups are global—hailing from countries like Brazil, Romania, England, Czech Republic, Russia, Mexico, Canada, Germany, and the United States. They sell information from data breaches, especially logs containing law enforcement passwords.
While their exploits tend to focus on large multinational corporations, the groups also include so-called hacktivists who often target law enforcement, political or judicial organizations or individuals, furthering the need for tighter cybersecurity among law enforcement (see number 2 below).
Increased collaboration and sophistication among various threat actor groups could also mean a potentially broader scope for targets including smaller companies through increased social engineering efforts.
In this environment, businesses of all sizes must take a close look at how they receive and respond to law enforcement requests to ensure they are verified as genuine. Additionally, service providers should consider introducing or enhancing behavior-based account security measures to ensure that simply having access to law enforcement credentials doesn’t guarantee the full range of account capabilities. This is especially important given the consequences of a company getting it wrong; it’s not just reputation risk, it’s data privacy compliance, user trust, and safety of human life.
2. Vulnerabilities in law enforcement security will be more exploited than ever.
Investment in cybersecurity infrastructure and training has long lagged in the public sector, particularly in police departments and investigatory organizations. At the same time, their attack surface has increased as mobile devices, field work and communications all become more digitized and connected.
Now criminal hackers have realized that credentials, sensitive information in case files, and other valuable data held by law enforcement agencies can be used very effectively as a trojan horse into a private corporation, or to launch ransomware or other attacks. Expect more frequent exploitation of bad security habits - particularly within law enforcement in developing countries - like password reuse, lack of 2FA and sloppy data security. Agencies everywhere should increase their investment in securing their network infrastructure and vulnerable endpoints.
For companies, this means even more signals are needed to verify the validity of law enforcement data requests. Email domains are not enough to confirm that the person sending the request has authority to do so; standard operating procedure should be to not trust whoever is operating the inbox solely based on access to that inbox. Check with your company’s legal counsel on how to push back on requests that seem suspicious or lack proper legal process.
3. Criminal toolkits continue to expand faster than law enforcement's ability to keep up.
While law enforcement credential theft continues to be a popular way to gain entry to a corporation, other highly effective methods continue to evolve. For example, emergency data request (EDR) templates are sold over the dark web and crafted to manipulate recipients into participating in unauthorized data sharing, under the guise of immediate threat to life that withholding the data would cause.
Mobile devices are another highly vulnerable attack vector. Indeed, unmanaged and outdated mobile devices are pervasive in law enforcement and the public sector. The Lookout analysis mentioned earlier found that “around 13% of devices used at the federal level are unmanaged, and a whopping 38% of devices at the state and local level are unmanaged.” And while mobile phishing is still highly effective and will continue unabated, their analysis found that the objective of phishing has shifted: “Malware delivery used to be the main event, but when it comes to targeting federal, state, and local governments, nearly half of all phishing attacks sought to steal credentials in 2021.”
Phishing requests will expand to exploit various channels, including the insecure forms of mail, email, and fax, in an attempt to evade rigorous verification processes and behavior based account monitoring such as that offered by Kodex. Threat actors will continue to execute personalized phishing campaigns, posing as victims if needed, especially with companies commonly targeted by law enforcement requests.
SIM swapping will emerge as another tactic to gain access to two-factor authentication (2FA) credentials of law enforcement email accounts. Agencies need to bolster 2FA security and explore more resilient authentication methods.
Unmanaged and expired domains can also be used to impersonate law enforcement and government organizations, and we expect to see increased abuse of old domains. Law enforcement agencies should do a thorough inventory to secure old domains and implement robust measures against unauthorized access to live domains.
As a result of these vulnerabilities, behavior-based account security becomes even more critical. Login credentials alone are not sufficient to protect against abuse by criminals using stolen (yet legitimate) law enforcement credentials and domains, especially given the sensitivity of data at hand.
4. Corporations and law enforcement will up their game in response to these rising threats.
For too long, the vulnerable channel of communication between law enforcement and private corporations has been left wide open. Bad actors have taken note. In fact, in 2023, Kodex rejected more than 10% of verification requests because of association with identified threat actors, while thousands of signup attempts used email addresses from a previously rejected domain. Their methods included credential stuffing, and leveraging exposed email usernames or passwords linked to law enforcement officers from data breaches.
This intensifying threat is one reason corporations and law enforcement alike increasingly rely on us to protect the integrity of the law enforcement response process. Through our Globally Verified Network, clients can confidently confirm the legitimacy of a request. No matter how resourceful or well capitalized a company is, they are more vulnerable when they operate alone in a silo . Our global network can gather behavior-based signals from across industries and geographies that no one company can access on their own. As a result, all companies who join Kodex help protect each other like a de facto herd immunity. When a law enforcement account is flagged as compromised, every company in our network is notified.
In 2024, we’re already seeing a continued surge in verification requests, reflecting the growing adoption of our platform by law enforcement and the private sector’s increasing reliance on verification. We stand ready as a strategic ally for the private and public sectors to guard against these evolving threats and protect the individual privacy entrusted to these companies.