The FBI is warning that bad actors are stealing data from tech companies by sending them “fraudulent emergency data requests.”

Emergency data requests are used by law enforcement to get data from tech companies in pursuit of cases. Unfortunately, the FBI says bad actors are using compromised law enforcement and government email addresses to send the fraudulent data requests, making it more difficult for targets to know the requests are fraudulent.

The FBI issued the warning in a Private Industry Notification (thanks to TechCrunch for the document upload).

The Federal Bureau of Investigation (FBI) is releasing this Private Industry Notification to highlight a trend of compromised US and foreign government email addresses used to conduct fraudulent emergency data requestsab to US-based companies, exposing personally identifying information (PII).

The FBI says these type of attacks are not new, but there is a major uptick in their use.

While the concept of fraudulent emergency data requests was previously used by other threat actors, such as Lapsus$, the increase in postings on criminal forums regarding the process of emergency data requests and sale of compromised credentials has led to an increase of their use. The FBI encourages organizations to implement the recommendations in the Mitigations section to reduce the likelihood and impact from submission of fraudulent emergency data requests to attempt to gain unauthorized access to PII. Enhanced password protocols implemented in early 2023 highlighted that a mandated increase in password length, the use of multi-factor-authentication (MFA) for users with administrative rights, policy controls directed at vishing, and improved baseline monitoring worked together to decrease successful attempts at cracking passwords and made networks more resilient to a threat actor’s initial intrusion and persistence.

Organizations are advised to maintain a strong relationship with the FBI so as to be able to better verify the validity of requests.

FBI recommends government and other organizations that receive emergency data requests take the steps below to improve their security posture in response to the noted attack trends and possible outcomes using more resilient security protocols. FBI recommends organizations establish and maintain strong liaison relationships with the FBI Field Office in their region. The location and contact information for FBI Field Offices can be located at www.fbi.gov/contact- us/field-offices. Through these partnerships, FBI can assist with identifying vulnerabilities and mitigating potential threat activity. FBI further recommends organizations review and, if needed, update incident response and communication plans that list actions an organization will take if impacted by a cyber incident.

The FBI recommends says organizations should report any suspicious data requests.

The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or ic3.gov. Field office contacts can be identified at www.fbi.gov/contact-us/field-offices. When available, each report submitted should include the date, time, location, type of activity, number of people, type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s National Press Office at [email protected] or (202) 324-3691.

For a full list of recommended mitigations, see the full document here.