May 02 — A person whom the US government believes is affiliated with REvil also appears to be connected to a strange situation involving Twitter. Details are still emerging, and this story will be updated accordingly, but we know that it all started with an urgent request…
Twitter provides information to enforcement agencies
Twitter’s policies mandate the provision of certain types of information to law enforcement in cases of valid emergency disclosure requests. According to the company, the fastest way to obtain an answer regarding an emergency request is via its legal request submissions site.
In a seven month window, the company reportedly received 12,370 government information requests. Emergency requests accounted for roughly 15% of that number, according to information published by Twitter.
What happened: Finding the REvil affiliate
A recent law enforcement inquiry was just one among an escalating series of requests related to cyber criminals. This particular request targeted an individual nicknamed “Lalartu” or “Sheriff.” Experts managed to connect this alias to a person by the name of Aleksandr Sikerin.
This individual was most recently living in St. Petersburg Russia, and had been affiliated with the notorious REvil ransomware gang.
In recent weeks, this person has threatened a blogger and their family, along with a cyber security researcher, whom he attempted to defame.
The elaborate social engineering
In an an unexpected plot twist, the REvil affiliate appears to have submitted a Twitter information request regarding the cyber security researcher. “Twitter fell for the bait and gave up all his info,” according to the REvil affiliate. Did Twitter really just hand over data to a hacker?
Phony data requests
This phony data request represents an example of how hackers are using compromised law enforcement email addresses to force the hand of major tech companies when it comes to turning over users’ private data.
Last week, Bloomberg issued a report around how bogus data requests sent to Twitter, Apple, Meta, Alphabet and other tech giants have been used to harass and extort minors. Krebs on Security also commented on the practice of obtaining data via data requests.
The question becomes, “Should companies revise policies and processes around data disclosure requests?” and if so, “How quickly does that need to happen?” in order to prevent people from experiencing sobering and serious real-world consequences.