In this article, we look at the cyber-crime gang Lapsus$, how they operate and the details of some of their recent high-profile attacks.
Lapsus$ ?
Lapsus$ is reported to be a mostly teenage cyber-crime gang (hackers), mainly based in South America, yet with its alleged multi-millionaire teenage leader based in Oxford, UK. The gang, which typically uses ransomware and data extortion, has risen to prominence over the last year or so thanks to frequent attacks on major targets. Although some tech and security commentators have described them as inexperienced and amateurish, they have expanded their reach globally and created many costly problems for some large organisations. Much of the money reported to have been taken by them is likely to have come not just from extortion but also from taking over individual user accounts at cryptocurrency exchanges and draining cryptocurrency holdings.
Social Engineering
Some online reports indicate that Lapsus$ Initially gains access to organisations prior to extortion through social engineering. This is reported to involve bribing and tricking employees at customer support call centres and help desks, for example. Microsoft, which was targeted by the group, wrote in a post that it had found instances where Lapsus$ “had successfully gained access to target organisations through recruited employees (or employees of their suppliers or business partners).”
Telegram Group
Lapsus$ is known to have a group of around 45,000 subscribers on Telegram (instant messenger channel) on which the hacking group members are known to be highly active. It is believed that the Telegram group and multiple other social media platforms have been used for recruitment since at least November 2021.
The Leader?
It has been reported that the leader of Lapsus$ is a 16-year-old boy based in Oxford who uses the hacking names “White” or “Breachbase”. It has also been reported (and alleged) that the autistic teenager has amassed a massive £10.6m ($14m) fortune (in cryptocurrency) from hacking!
Doxxed
The teenage alleged leader’s identity was revealed after he reportedly mismanaged the Doxbin website that he controlled and leaked the Doxbin data set to Telegram. This led angry customers of the site, which shares personal information about people, to retaliate by doxing him, i.e. publicly revealing personal information about him online. It has also been reported, however, that cyber-security researchers, e.g. Unit 221B, have been tracking the alleged leader of Lapsus$ and have been aware of his real identity for almost a year.
Father Unaware
Following the doxing, it has been reported that White/Breachbase’s father was unaware of his son’s alleged involvement in hacking and that his father believed that extended periods spent on his computer was simply the result of his son playing video games.
Attacks So Far
Some of those targeted and attacked by Lapsus$ are so far thought to include:
- Security company Okta. The attack in January, which allegedly involved a third-party contractor, is reported to have been a case where the data of (at worst) 366 of its clients may have been “viewed or acted upon”. News of the issue caused a 9 per cent fall in the company’s shares.
- Microsoft, which reported that the group had only gained limited access after compromising a single account. Microsoft, which calls the Lapsus$ group DEV-0537, has published an extensive post about their activities and methods here.
- Samsung, which recently confirmed that the hacking group had breached its security and stolen code relating to the operation of Galaxy smartphone devices.
- Nvidia (US GPU giant). It was reported that Lapsus$ broke into NVIDIA’s internal network, stole sensitive data (from hashed login credentials to trade secrets) and then leaked NVIDIA’s official code signing certificates.
- Ubisoft (a French gaming publisher) has also been targeted.
Recent Arrests
Following an investigation, it has been reported that City of London Police have now arrested seven teenagers over their suspected connections with the Lapsus$ hacking group. It is not clear, however, whether this included the suspected 16-year-old leader.
What Does This Mean For Your Business?
It is shocking that a group of teenagers apparently on their computers in their bedrooms at home may be behind some high-profile extortion crimes against major organisations, as well as taking over cryptocurrency accounts, amassing vast digital wealth in the process.
In this case, although the attacks may have exposed some technical security holes in company defences, the group seems mostly to have relied upon (according to Microsoft) using social engineering, e.g. recruiting and bribing relatively low-level insiders. This is difficult for businesses to defend against, and it highlights the importance of monitoring and training about cyber threats in companies.
Although some arrests have now been made, the continued existence of a huge subscriber base on Telegram, and details stolen in previous attacks means that the danger may not be over, and others may copy the gang’s methods or replace lost members.
By Mike Knight