Security researchers who investigate ransomware gangs are being targeted by the criminals they’re tracking. A hacker, thought to be a member of notorious Russian cybercrime gang REvil has used a fraudulent emergency data request (EDR), a type of subpoena deployed by US law enforcement agencies, to obtain information from Twitter about cybersecurity analysts, before threatening the researchers and their families.

EDRs can be obtained with little scrutiny, making them perfect vehicles for social engineering attacks. Legislation has been drafted which could require the requests to come with a digital signature, making them harder to forge.

Fake EDRs were apparently used to obtain user information from Twitter. (Photo illustration by Nikolas Kokovlis/NurPhoto via Getty Images)

What is an emergency data request?

An EDR allows US law enforcement agencies to unilaterally demand information from an organisation in a life or death emergency. This means they can bypass the protocol for obtaining information about who owns an account from a social media platform, which usually involves obtaining a court warrant or full subpoena.

Because the requests can be made by the agencies themselves without any oversight, they are a useful tool for social engineering. Many companies like Twitter “have a streamlined process where they publish fax or contact information for police to get emergency access to data,” former prosecutor with the US Department of Justice Mark Rasch told the KrebsonSecurity blog earlier this year. “But there’s no real mechanism defined by most Internet service providers or tech companies to test the validity of a search warrant or subpoena. And so as long as it looks right, they’ll comply,”

Successful bogus EDRs are often sent from official email accounts which have been hacked into, says Louise Ferret, a researcher at security platform Searchlight Security “You need a US government or US law enforcement email,” she says. There are over 18,000 police jurisdictions in the United States, many of which have been breached by hackers. At federal level, last year the FBI’s email server was breached, and cybersecurity across the US government departments has been criticised as inadequate by auditors.

How are EDRs used to target security researchers

While these tactics have been used before by hackers targeting other cybercriminals, they are now being deployed against ransomware researchers to intimidate them offline. One such criminal, known online as ‘Sheriff’ and thought to be REvil member Aleksandr Sikerin, used these tactics against three researchers in the last month, using fake EDR to obtain contact information on targets and send them abusive and threatening emails.

One of the researchers, known online as Dissent, detailed her experience in a blog, which explains that at one point she was sent a message threatening her with the same fate as murdered Saudi Arabian journalist Jamal Khashoggi: “You will end up like Jamal,” the message reads. “I will personally feed you to your family.”

Sheriff and another hacker known as RichTheKid boasted on hacking forum breached.co that they have filed 20 bogus EDRs to Twitter for “IP audit, email and phone” information on security researchers. Sheriff has since been banned from the forum.

Using bogus EDRs to obtain information is an increasingly popular tactic for hackers, Ferrett says. “It seems like a pre-existing tactic that has been used quite liberally in the past in the cybercrime underground, but more typically as part of a hacking operation in order to gain that kind of sensitive customer data, or by cybercriminals against their rivals as a means to ‘dox’, harass or even intimidate them into continuing to work for them,” she says. Doxxing is a practice where someone’s personal information is maliciously published or shared online.

“Threat actors are now turning this sort of low-tech tactic onto those who investigate and expose their illegal activities,” Ferrett adds. “And Twitter is an easy target because that’s where a lot of researchers gather.”

Twitter has not been forthcoming with its process for vetting EDRs. The nature of the requests means they must be dealt with quickly, meaning employees can potentially be left with the choice of taking time to vet properly and risking a person being seriously injured or killed, or releasing information quickly with less scrutiny.

Twitter states in its privacy policy that “we may disclose account information to law enforcement in response to a valid emergency disclosure request. Twitter evaluates emergency disclosure requests on a case-by-case basis in compliance with relevant law.” The company has not responded to questions from Tech Monitor at the time of writing.

Rival social media platform Facebook received 21,700 emergency requests globally from January to June 2021 and provided some data in response to 77% of the requests.

What is being done to tackle fake EDRs?

Legislation to tackle to fraudulent use of EDRs could be forthcoming. Democratic Senator Ron Wyden has put together a proposal, the Digital Authenticity for Court Orders Bill. The proposal, which has bipartisan support, was first presented last year and would, amongst other things, require EDRs and similar orders to come with a digital signature to prove authenticity.

“No one wants tech companies to refuse legitimate emergency requests when someone’s safety is at stake, but the current system has clear weaknesses that need to be addressed,” said Wylden. “Fraudulent government requests are a significant concern, which is why I’ve already authored legislation to stamp out forged warrants and subpoenas.”

Ferrett says the legislation would be a welcome step to keep security researchers and others safe. “Using things like the digital signature technology is an interesting way to deal with this because hopefully, it would be a lot quicker than other modes of verification,” she says. “I think it’s definitely necessary, especially if this becomes more common.”

For the moment, however, researchers will be left feeling exposed and unsafe on Twitter, she concludes. “This is new for researchers that have previously been able to stay anonymous,” Ferrett says. “They seem to feel less safe or feel like they’re going to be identified now.”

Read more: Is REvil back? Ransomware gang’s return raises suspicions