In recent days, cybersecurity experts have not stopped talking about Lapsus$, a group of cybercriminals that has earned its recent and sinister fame by stealing data from some of the most important technology companies in the world. Among its victims are Nvidia, Ubisoft, Vodafone, Samsung, Mercado Libre and Microsoft. The latter confirmed on Tuesday that the gang, specialized in cyberattacks with ransomware , had stolen 37 GB of source code from its Bing browser and its digital assistant Cortana.
His criminal actions have also targeted Okta, a company that offers identity verification services to third-party companies, one of the largest media groups in Portugal, and the Brazilian Ministry of Health.
Although the motivation behind their high-profile attacks is still unclear, cybersecurity experts suspect they are driven by money and notoriety . Their main modus operandi is to hack large companies, steal their data and threaten to publish it unless a ransom is paid. But not always. Nvidia, for example, was not asked for money but to release the source code of its graphics card drivers and remove the restrictions it has imposed on using them to mine cryptocurrencies.
What the investigations do seem to be advancing on is who or who is behind Lapsus$ and other details about its way of operating. This Thursday, Bloomberg reported that four cybersecurity experts investigating the group on behalf of the attacked companies were convinced that a 16-year-old teenager who lives with his mother near Oxford , England, is the brains behind Lapsus$. And this despite the fact that they have not been able to conclusively link him to all the hacking claimed by the group.
Investigators had used forensic evidence from the attacks, as well as publicly available information, to link the young man, who calls himself “White” and “Breachbase” online, to the gang. But they suspected that another teenager residing in Brazil also belongs to the group, and they assumed that there were more people involved since they had come to identify seven unique accounts associated with Lapsus$.
Yesterday afternoon, London police arrested seven teenagers after discovering alleged connections to this group. According to the BBC, which advanced the news, those arrested, aged between 16 and 21, were later released under investigation. The police continue their investigations.
The young man who is accused of being the mastermind has allegedly amassed a fortune of 14 million dollars. According to the investigators cited by Bloomberg, he is so quick to act that they initially thought the criminal activity they were observing was automated.
However, despite the skills demonstrated by the group, it seems that finding these young people has not been too difficult due to poor operational security. Microsoft itself said on its blog that unlike most groups [of cybercriminals] that remain under the radar, Lapsus$ does not seem to hide its tracks.
Thus, in addition to using traditional social engineering techniques (trying, for example, to deceive company employees with phone calls), “they go so far as to even announce their attacks on social networks and publicize their intention to buy credentials. employees of target organizations [to use as a gateway to the companies’ servers],” the Redmond giant said.
Bloomberg also detailed that the teenage hacker chief has had personal information, including his address and information about his parents, posted online. Much of that information leaked by rival hackers. In addition, the group of cybercriminals shared their goals on a Telegram channel that has more than 45,000 followers. Microsoft admitted, in fact, that it was able to stop downloading its code because Lapsus$ talked about it publicly on Telegram before completing the download.
This lack of discretion that has helped speed up the investigation could be the end of the gang. Or not, because the prolific group of hackers behind Laspus$ seems to be based in Latin America. And it is unknown how many people make it up. At the moment, this Wednesday the group reported through its Telegram channel that some of its members have “vacation until 3/30/22”. “Thanks for understand. We will try to leak things as soon as possible,” the message read.
The father of the group’s young mastermind told the BBC his family were very worried and were trying to keep him away from computers. The teenager, whose name has not been revealed because he is a minor, attends a special education school in Oxford, because according to the British chain he is autistic. “I had never heard of any of this until recently. He has never talked about any hacking, but he is very good with computers and spends a lot of time with them. I always thought he was playing,” added the father.
MULTIPLE TECHNIQUES TO ACHIEVE LOOT
Bribery. The techniques used by the members of Lapsus$ to attack their targets are multiple. In addition to using social engineering, bribing or duping employees of target organizations or their partners, they also pay employees or insiders of companies to serve as gateways to the company’s computer systems. the same.
Networks. Sources consulted by krebsOnSecurity assure that this group of cybercriminals has been recruiting insiders from the companies they wanted to attack through multiple social networks since at least November 2021. Last year, on Reddit they offered AT&T employees , T-Mobile, and Verizon up to $20,000 per week to do “inside jobs.”
SIM card. Precisely, the group has sometimes used the SIM swapping technique to gain access to key accounts in the target organizations. This consists of stealing a person’s identity by duplicating their mobile SIM card. Other times they have installed Redline password-stealing malware or resorted to searching for exposed credentials in public code repositories.
Extortion. One of the Lapsus$ members is believed to have been involved in an attack on Electronic Arts last year. The extortionists demanded payment from him in exchange for not publishing 780 GB of source code.