Seven teenagers were arrested in the UK on Thursday March 24 as part of the investigation into Lapsus$, a group of hackers who in recent weeks have claimed responsibility for several high-profile attacks against well-known companies, such as Microsoft, Nvidia or Samsung. These arrests are dropped when the noose is tightened around a young British minor suspected of being an important member of this group.
Lapsus$ is an atypical gang to say the least. The largest organized actors specializing in extortion recruit on specialized forums, mostly Russian-speaking, and only speak in public to put more pressure on their victims. But Lapsus$ runs a Telegram channel, where it publicly announces its hacks, publishes polls asking readers what data they’d like to see leaked, and even maintains a chaotic discussion group, “Lapsus$Chat,” full of memes, bad taste jokes. and posts apparently written by teens fascinated by the group and the illegal aspect of its activities.
For example, on January 11, Lapsus$ is suspected of leading a small attack against the site of Localiza, a Brazilian car rental company, redirect visitors to porn giant Pornhub.
High Level Attacks
In recent months, however, the group has claimed actions whose scale and prestige contrast with the uninhibited tone of its communication and the apparent lightness of its methods. In March, he claimed to have broken into Microsoft servers. The company later said only one internal employee account was compromised, quickly spotted, and that no sensitive information has been stolen†
Earlier this month, data from the iconic Korean telephony group Samsung began appearing on Lapsus$’s Telegram channel: the company confirmed a break-in, while claiming that customer and employee data had not been compromised.
A month earlier, the group had published some of the information stolen from Nvidia in an attack that targeted the computer hardware manufacturer. relative in the press† Finally, Lapsus$ recently claimed an attack on Ubisoft, with no further mention of it since. The French video game publisher did not respond to requests from the World and referred to a statement dated March 10 that simply reported “incident” computer technology.
Appearing to ransom its victims by threatening to publish stolen data, the gang tries to infiltrate the targets’ networks, exploit human flaws, or buy access or employee accounts on black market platforms such as Genesis. “We know they’re looking for VPN access [outils qui permettent aux internautes de masquer leur identité en ligne] or employees who are directly in the companies and who could grant them access”explains Narimane Lavay, threat analysis expert at specialist company Sekoia.
Password theft
On Telegram, the group even launched calls for contributions, publicly announcing that it was looking for employees with access to large companies to use their credentials and hack into their servers. According to a Microsoft report, Lapsus$ relies on password-stealing software, among other things, and also digs into the many data breaches circulating on the Internet. looking for references to use† The company adds that the group has also been able to use SIM Swapping, a method that involves hijacking someone’s phone number, for example to reset passwords.
The group’s methods question the real motivations of its members. At the time of the first victims, the negotiations “were quite long in time: there was an extortion report, and another a few days later” † and it can take days, or even longerdetails Livia Tibirna, threat analysis expert at Sekoia. Lately, there has been no delay between the announcement of the hack and the publication of the data. † An evolution that suggests that the actors involved are also trying to get people to talk about them by committing prestigious ‘coups’.
All the experts who have observed this group agree on its amateurism with regard to discretion and the protection of their identities. “Unlike most actors who want to stay under the radar, DEV-0537” [le nom donné au groupe par l’entreprise] does not seem to make up his tracks »Microsoft insists in its report. In his analysis Sekoia Reveals There Seems to Be a Link Between Lapsus$ and “4v3”a hacker who claimed a major attack on video game giant Electronic Arts on discussion forums in July 2021. “Remember our name. slip$”he wrote in particular. this hack, told by the site vice, corresponds to the methods attributed to the group, in particular using identifiers purchased on the black market. As Sekoia recalls, a cryptocurrency wallet address linked to the Electronic Arts hack also matches an address found in other extortion attempts attributed to the group.
IN 2021, after an argument between Lapsus$ and the owners of Doxbin, the group decides to publish a large amount of information from this site that is used to leak personal data. However, in this mass of data were elements that identified an alleged member of Lapsus$.
Many mistakes
Nicknamed “White”, he is described as a British teenager who still lives with his parents. “4c3” and “White” may be the same person: According to Sekoia, a certain “doxbinwh1te” on the Exploit pirate forum also claimed Electronic Arts piracy, with which he tried to be recruited by cybercriminal groups. This account also mentioned several attacks attributed to Lapsus$, including those by a Brazilian government agency. An expert, interviewed by specialist journalist Brian Krebssupports the statement of vice†
british police, interviewed by the BBC on Thursday, did not specify whether the young man was one of seven people arrested as part of the Lapsus$ investigation. However, authorities have confirmed that they have identified “white people”. “We had his name since the middle of last year”one researcher explained to the BBC, saying the young man had made many mistakes that compromised his identity.
Many questions about Lapsus$ remain unanswered. Several elements suggested that the group operates partly from Latin America, both because of the first victims and because of the language used by the group. “On their Telegram channel they started communicating in Portuguese” besides English, explains Narimane Lavay. The identities of the other members of the group also remain unknown, as does the future as legal pressure mounts. On Wednesday, Lapsus$ announced on its Telegram channel that some of its members were participating in ” holidays “ † “We run the risk of being discreet for a while. †
