Jump to content

Lapsus$

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Nick Levine (talk | contribs) at 08:02, 4 November 2022 (Restored revision 1119784777 by Chumpih (talk): Restore last good version). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Lapsus$
Formationc. 2021
TypeCybercrime gang
HeadquartersUnknown
Region
International
MethodsSpearphishing, SIM swapping, recruitment of accomplices via social media
Membership
7 (March 2022 estimate)
AffiliationsUnknown

Lapsus$, stylised as LAPSUS$ and classified by Microsoft as DEV-0537,[1] is an international extortion-focused[2] hacker group known for its various cyberattacks against companies and government agencies.[3][4]

Unlike most hacker groups, Lapsus$ is known for using the messaging app Telegram for communications to the public, including recruitment and posting sensitive data from their victims, although the group's usage of Telegram has diminished.[5] The composition of the group has also been noted, with at least two of the members being teenagers. Lapsus$' attack vector is through social engineering; once the group has gained the credentials to a privileged employee within the target organisation, the group then attempts to obtain sensitive data through a variety of means, including using remote desktop tools.

The first major noted cyberattack attributed to Lapsus$ was against the Brazilian Health Ministry's computer systems in December 2021.[6] In March 2022, Lapsus$ gained notoriety for a series of cyberattacks against large tech companies, including Microsoft, Nvidia, and Samsung. Following these attacks, the City of London Police announced that it had made seven arrests in connection to a police investigation into Lapsus$.[7] Although the group had been considered inactive by April 2022, the group is believed to have re-emerged in September 2022 with a series of data breaches against various large companies through a similar attack vector, including Uber and Rockstar Games, with subsequent arrests again by City of London Police.

Attacks

Brazil's Ministry of Health (2021)

The first known cyberattack committed by Lapsus$ was against Brazil's Ministry of Health. As a result of the attack, the Ministry of Health postponed plans to implement new health requirements for travelers in Brazil.

Okta (2022)

On 21 January 2022, Lapsus$ had gained access into the servers of identity and access management company Okta through the compromised account of a third-party customer support engineer. Okta confirmed the breach on 25 January 2022.[8][9]

Nvidia (2022)

On 23 February 2022, technology company Nvidia became aware of a breach into its systems. Lapsus$ claimed to have a terabyte of data from Nvidia, and threatened to release the "complete silicon, graphics, and computer chipset files for all recent NVIDIA GPUs, including the RTX 3090Ti and upcoming revisions" if Nvidia didn't open-source its device drivers.[10][3] On 3 March, the credentials for Nvidia's over 71,000 employees emerged online.[11]

Samsung (2022)

On 4 March 2022, Lapsus$ posted a 190 GB torrent to internal data belonging to phone manufacturer Samsung, including the source code of its Samsung Galaxy line of phones. Samsung confirmed the breach three days later.[12]

Mercado Libre (2022)

On 8 March 2022, Argentinian e-commerce company Mercado Libre confirmed that user data for 300,000 customers had been accessed by Lapsus$; the group also claimed to have access to 24,000 repositories belonging to Mercado Libre.[13]

Ubisoft (2022)

On 10 March 2022, gaming company Ubisoft confirmed that it had experienced a "cyber security incident", although user data had not been accessed.[14]

T-Mobile (2022)

On 17 March 2022, Lapsus$ had gained access to an employee account within the telecommunications company T-Mobile. A prominent member of Lapsus$ going by the pseudonym "White" unsuccessfully attempted to gain access to the T-Mobile accounts of the Federal Bureau of Investigation and the United States Department of Defense. Lapsus$ was, however, able to obtain the source code repositories belonging to T-Mobile.[15]

Microsoft (2022)

On 20 March 2022, Lapsus$ posted a screenshot of the technology company Microsoft's Azure DevOps server to their Telegram channel. The following day, the group released a 37 GB zip file containing, among other things, "90% of the source code for the Bing search engine".[16][17][18][19]

Globant (2022)

On 30 March 2022, Luxembourg-based IT company Globant confirmed its network had been breached.[20]

Uber (2022)

On 15 September 2022, nearly six months since Lapsus$' last attack, mobility as a service company Uber announced that it had been breached.[21]

Rockstar Games (2022)

See also: Untitled Grand Theft Auto game

On 18 September 2022, 90 videos of game footage relating to an untitled Grand Theft Auto game emerged on GTAForums.[22] The hacker is thought to have been affiliated with Lapsus$.[23]


Interactions

The group used the messaging app Telegram, and the Lapsus$ Telegram channel was used to announce data dumps and to recruit accomplices. As of March 2022, it has nearly 50,000 subscribers.[5] The group posted polls as to which organisation the group should target next.[24]

The FBI made an appeal for information on 21 March 2022.[25]

Composition

A Bloomberg report stated that the group's mastermind was a 16-year-old residing in Oxford, England, and another core member is a teenager in Brazil.[26][27] The report also stated that the group has seven members and was likely formed recently.[28][26]

Arrests

On 24 March 2022, seven people aged between 16 and 21 were arrested by the City of London Police in connection to a police investigation into Lapsus$. An alleged prominent member of the group with the pseudonym White was arrested in Oxford, England. His identity had allegedly previously been disclosed by a former associate, and various groups including research group Unit 221B were reported to have identified him.[29] Two teenage members were charged on 1 April 2022.[30][27]

Analysis

The group's assumed modus operandi was based on obtaining access to a victim organisation's corporate network by acquiring credentials from privileged employees. These credentials were acquired in a number of ways, including recruitment[31] or hacking privileged employees using methods such as SIM swapping.[5] Lapsus$ then used remote desktop or network access to obtain sensitive data, such as customer account details or source code. The group then extorted the victim organisation with threats of disclosing the data.[18] In the conspicuous cases, the data was then subsequently released, and information posted on Telegram.

Lapsus$ has used the social engineering tactic known as multi-factor authentication fatigue in its attack on Uber.[32][33]

References

  1. ^ "DEV-0537 criminal actor targeting organizations for data exfiltration and destruction". Microsoft Security Blog. 22 March 2022. Retrieved 24 March 2022.
  2. ^ "Defending against attacks". Security Insider. Microsoft Security. 22 August 2022. Retrieved 8 October 2022.
  3. ^ a b Goodin, Dan (4 March 2022). "Cybercriminals who breached Nvidia issue one of the most unusual demands ever". Ars Technica. Retrieved 14 March 2022.
  4. ^ Winder, Davey (8 March 2022). "Samsung Confirms Massive Galaxy Hack After 190GB Data Torrent Shared Via Telegram". Forbes. Retrieved 14 March 2022.
  5. ^ a b c Krebs, Brian (23 March 2022). "A Closer Look at the LAPSUS$ Data Extortion Group". Krebs On Security. Retrieved 24 March 2022.
  6. ^ "Brazil health ministry website hit by hackers, vaccination data targeted". Reuters. 11 December 2021. Retrieved 24 March 2022.
  7. ^ Peters, Jay (24 March 2022). "Seven teenagers arrested in connection with the Lapsus$ hacking group".
  8. ^ Porter, Jon (22 March 2022). "Okta hack puts thousands of businesses on high alert". The Verge. Retrieved 22 March 2022.
  9. ^ Newman, Lily Hay (28 March 2022). "Leaked Details of the Lapsus$ Hack Make Okta's Slow Response Look More Bizarre". Wired. Retrieved 1 April 2022.
  10. ^ Clark, Mitchell (1 March 2022). "Nvidia says its 'proprietary information' is being leaked by hackers". The Verge.
  11. ^ Gatlan, Sergiu (3 March 2022). "NVIDIA data breach exposed credentials of over 71,000 employees". BleepingComputer. Retrieved 21 September 2022.
  12. ^ Glover, Claudia (7 March 2022). "Is Lapsus$ targeting Big Tech after Samsung breach?". Tech Monitor. Retrieved 14 March 2022.
  13. ^ Sharma, Ax. "E-commerce giant Mercado Libre confirms source code data breach". BleepingComputer. Retrieved 23 March 2022.
  14. ^ Peters, Jay (11 March 2022). "Ubisoft says it experienced a 'cyber security incident', and the purported Nvidia hackers are taking credit". The Verge. Retrieved 14 March 2022.
  15. ^ Krebs, Brian (22 April 2022). "Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code". Krebs on Security. Retrieved 22 April 2022.
  16. ^ Cox, Joseph (21 March 2022). "Microsoft Investigating Claim of Breach by Extortion Gang". Motherboard. Vice. Retrieved 21 March 2022.
  17. ^ Clark, Mitchell; Lawler, Richard; Peters, Jay (22 March 2022). "Microsoft confirms Lapsus$ hackers stole source code via 'limited' access". The Verge. Vox Media. Retrieved 22 March 2022.
  18. ^ a b Abrams, Lawrence. "Lapsus$ hackers leak 37GB of Microsoft's alleged source code". BleepingComputer. Retrieved 23 March 2022.
  19. ^ Newman, Lily Hay (22 March 2022). "'This Is Really, Really Bad': Lapsus$ Gang Claims Okta Hack". Wired. Retrieved 23 March 2022.
  20. ^ Goodin, Dan (30 March 2022). "IT giant Globant discloses hack after Lapsus$ leaks 70GB of stolen data". Ars Technica. Retrieved 31 March 2022.
  21. ^ Bajak, Frank (16 September 2022). "Serious breach at Uber spotlights hacker social deception". AP NEWS. Retrieved 17 September 2022.
  22. ^ Kan, Michael (20 September 2022). "Uber Blames Recent Breach on LAPSUS$ Hacking Group". PCMag. Ziff Davis. Archived from the original on 19 September 2022. Retrieved 19 September 2022.
  23. ^ Robinson, Andy (19 September 2022). "Uber 'in contact with the FBI' over potential GTA 6 hacker". Video Games Chronicle. Gamer Network. Archived from the original on 19 September 2022. Retrieved 20 September 2022.
  24. ^ Newman, Lily Hay (15 March 2022). "The Lapsus$ Hacking Group Is Off to a Chaotic Start". Wired.
  25. ^ "Most Wanted: LAPSUS$". www.fbi.gov. 21 March 2022. Archived from the original on 3 April 2022. Retrieved 5 April 2022.
  26. ^ a b Turton, William; Robertson, Jordan (23 March 2022). "Teen Suspected by Cyber Researchers of Being Lapsus$ Mastermind". Bloomberg. Retrieved 23 March 2022.
  27. ^ a b "16-year-old living with his mom is mastermind behind Lapsus$ Microsoft hack, cyber detectives say". Fortune. Archived from the original on 1 August 2022. Retrieved 8 October 2022.
  28. ^ Burt, Jeff (17 March 2022). "Lapsus$ gang sends a worrying message to would-be criminals". www.theregister.com.
  29. ^ "Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal". BBC News. 24 March 2022. Retrieved 25 March 2022.
  30. ^ "Lapsus$: Two UK teenagers charged with hacking for gang". BBC News. 1 April 2022.
  31. ^ Paganini, Pierluigi (11 March 2022). "Lapsus$ Ransomware Group is hiring, it announced recruitment of insiders". Security Affairs. Retrieved 23 March 2022.
  32. ^ "MFA Fatigue: Hackers' new favorite tactic in high-profile breaches". BleepingComputer. Retrieved 20 September 2022.
  33. ^ Whittaker, Zack (19 September 2022). "How do you stop another Uber hack?". TechCrunch. Retrieved 20 September 2022.


Retrieved from "https://en.wikipedia.org/w/index.php?title=Lapsus$&oldid=1119947966"