Featured Article : What is Lapsus$?

Written by Pronetic

Pronetic is a leading provider of core IT support for ISO 27001, Cyber Essentials and Cyber Essentials Plus compliance.

March 29, 2022

In this article, we look at the cyber-crime gang Lapsus$, how they operate and the details of some of their recent high-profile attacks. 

Lapsus$ ? 

Lapsus$ is reported to be a mostly teenage cyber-crime gang (hackers), mainly based in South America, yet with its alleged multi-millionaire teenage leader based in Oxford, UK. The gang, which typically uses ransomware and data extortion, has risen to prominence over the last year or so thanks to frequent attacks on major targets. Although some tech and security commentators have described them as inexperienced and amateurish, they have expanded their reach globally and created many costly problems for some large organisations. Much of the money reported to have been taken by them is likely to have come not just from extortion but also from taking over individual user accounts at cryptocurrency exchanges and draining cryptocurrency holdings. 

Social Engineering 

Some online reports indicate that Lapsus$ Initially gains access to organisations prior to extortion through social engineering. This is reported to involve bribing and tricking employees at customer support call centres and help desks, for example. Microsoft, which was targeted by the group, wrote in a post that it had found instances where Lapsus$  “had successfully gained access to target organisations through recruited employees (or employees of their suppliers or business partners).” 

Telegram Group 

Lapsus$ is known to have a group of around 45,000 subscribers on Telegram (instant messenger channel) on which the hacking group members are known to be highly active. It is believed that the Telegram group and multiple other social media platforms have been used for recruitment since at least November 2021. 

The Leader? 

It has been reported that the leader of  Lapsus$ is a 16-year-old boy based in Oxford who uses the hacking names “White” or “Breachbase”. It has also been reported (and alleged) that the autistic teenager has amassed a massive $14m (£10.6m) fortune (in cryptocurrency) from hacking! 

Doxxed 

The teenage alleged leader’s identity as was revealed after he reportedly mismanaged the Doxbin website that he controlled and leaked the Doxbin data set to Telegram. This led angry customers of the site, which shares personal information about people, to retaliate by doxing him, i.e. publicly revealing personal information about him online. It has also been reported, however, that cyber-security researchers, e.g. Unit 221B, have been tracking the alleged leader of Lapsus$ and have been aware of his real identity for almost a year. 

Father Unaware 

Following the doxing, it has been reported that White/Breachbase’s father was unaware of his son’s alleged involvement in hacking and that his father believed that extended periods spent on his computer was simply the result of his son playing video games. 

Attacks So Far 

Some of those targeted and attacked by Lapsus$ are so far thought to include: 

– Security company Okta. The attack in January, which allegedly involved a third-party contractor, is reported to have been a case where the data of (at worst) 366 of its clients may have been “viewed or acted upon”. News of the issue caused a 9 per cent fall in the company’s shares. 

– Microsoft, which reported that the group had only gained limited access after compromising a single account. Microsoft, which calls the Lapsus$ group DEV-0537, has published an extensive post about their activities and methods here: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ 

– Samsung, which recently confirmed that the hacking group had breached its security and stolen code relating to the operation of Galaxy smartphone devices. 

– Nvidia (US GPU giant). It was reported that Lapsus$ broke into NVIDIA’s internal network, stole sensitive data (from hashed login credentials to trade secrets) and then leaked NVIDIA’s official code signing certificates. 

– Ubisoft (a French gaming publisher) has also been targeted. 

Recent Arrests 

Following an investigation, it has been reported that City of London Police have now arrested seven teenagers over their suspected connections with the Lapsus$  hacking group. It is not clear, however, whether this included the suspected 16-year-old leader. 

What Does This Mean For Your Business? 

It is shocking that a group of teenagers apparently on their computers in their bedrooms at home may be behind some high-profile extortion crimes against major organisations, as well as taking over cryptocurrency accounts, amassing vast digital wealth in the process. In this case, although the attacks may have exposed some technical security holes in company defences, the group seems mostly to have relied upon (according to Microsoft) using social engineering, e.g. recruiting and bribing relatively low-level insiders. This is difficult for businesses to defend against, and it highlights the importance of monitoring and training about cyber threats in companies. Although some arrests have now been made, the continued existence of a huge subscriber base on Telegram, and details stolen in previous attacks means that the danger may not be over, and others may copy the gang’s methods or replace lost members.

You May Also Like…

0 Comments

Why Choose Pronetic

We Are ISO 27001 & Cyber Essentials Plus Certified

Be reassured that we have been externally audited. You can have complete peace of mind that the team managing your IT systems and safeguarding your data are independently vetted annually.

Seamless & Comprehensive IT Support

Our investment in people, tools and processes, continuously improved, ensures that we don’t just deliver exceptional I.T. support but include your compliance to Cyber Essentials or ISO 27001 “baked-in”. Yes, that means no more annual headaches and stress when your certification comes round.

Expert Support Money Back Guarantee

We're confident in the value we deliver. That's why we offer a 90-day, no-quibble money-back guarantee. If, for any reason, you're not completely satisfied with our IT support services, we'll provide a full refund and cancel your contract without any hassle.

Book Your Free IT Strategy Call Now!

Simply Fill In The Form Below To Receive Your Free IT Strategy Call:

By submitting this form, you consent to us using your personal information to contact you. For more information please see our privacy policy.