Lapsus$

Last updated

Lapsus$
Formation2021
FounderArion Kurtaj
Type Cybercrime gang
HeadquartersUnknown
Region
International
Methods Spearphishing, SIM swapping, recruitment of accomplices via social media, extortion, hacking
Membership
7 (March 2022 estimate)
Official language
English
AffiliationsUnknown

Lapsus$, stylised as LAPSUS$ and classified by Microsoft as Strawberry Tempest, [1] was an international extortion-focused [2] hacker group known for its various cyberattacks against companies and government agencies. [3] [4] The group was globally active, and has had members arrested in Brazil and the UK. [5]

Contents

The composition of the group was described by City of London Police, with at least two of the members being teenagers. Lapsus$ uses a variety of attack vectors, including social engineering, MFA fatigue, SIM swapping, [6] and targeting suppliers. Once the group has gained the credentials to a privileged employee within the target organisation, the group then attempts to obtain sensitive data through a variety of means, including using remote desktop tools. Attempts at extortion follow. The messaging app Telegram had been used for communications to the public, including recruitment and posting sensitive data from their victims, although that usage has diminished. [7]

The first major cyberattack attributed to Lapsus$ was against the Brazilian Health Ministry's computer systems in December 2021. [8] In March 2022, Lapsus$ gained notoriety for a series of cyberattacks against large tech companies, including Microsoft, Nvidia, and Samsung. Following these attacks, the City of London Police announced that it had made seven arrests in connection to a police investigation into Lapsus$. [9] Although the group had been considered inactive by April 2022, the group is believed to have re-emerged in September 2022 with a series of data breaches against various large companies through a similar attack vector, including Uber and Rockstar Games, with subsequent arrests again by City of London Police, and Brazilian police. [5] The group appears to have become inactive after September 2022, with members perhaps dispersing to other groups, [5] and the conviction of two British members. [10] One of the group's founding members, Arion Kurtaj, was given an order to indefinitely remain in a secure psychiatric facility. [11]

Attacks

Brazil's Ministry of Health (2021)

The first known cyberattack committed by Lapsus$ was against Brazil's Ministry of Health. The Ministry of Health website was taken down on Friday, 10 December around 1 AM. Lapsus$ left a message, "Contact us if you want your data back", along with their Telegram and e-mail addresses on the homepage of the website of the ministry [8] after exfiltrating and deleting 50 TB of data on internal servers. By Friday afternoon the message had been removed, but the website and user data in the "ConecteSUS" app, which provides Brazilians with COVID vaccination certificates, remained unavailable, causing disruption for travelers. [12]

On October 19, 2022, a Brazilian citizen believed to be a Lapsus$ member was arrested by the police in Feira de Santana, Bahia and subsequently accused of the attacks on the Brazil Ministry of Health and other cybercrimes after "Operation Dark Cloud". Lapsus$ also targeted dozens of other organs and entities from the Brazilian Federal Government, including the Ministry of Economy, the Comptroller General of the Union, and the Federal Highway Police. [13] [14] The data appears permanently deleted.[ citation needed ]

Okta (2022)

On 21 January 2022, Lapsus$ had gained access into the servers of identity and access management company Okta through the compromised account of a third-party customer support engineer. Okta confirmed the breach on 25 January 2022. [15] [16] Based on the final forensic report, Okta's Chief Security Officer David Bradbury said the attack only impacted two active customers. Okta began investigating claims of a hack after Lapsus$ shared screenshots in a Telegram channel implying they had breached Okta's customer networks. Initially, Okta said that a Lapsus$ hacker obtained Remote Desktop (RDP) access to a Sitel support engineer's laptop over "a five-day window" between January 16 and January 21.

Nvidia (2022)

On 23 February 2022, technology company Nvidia became aware of a breach into its systems. Lapsus$ claimed to have a terabyte of data from Nvidia, and threatened to release the "complete silicon, graphics, and computer chipset files for all recent NVIDIA GPUs, including the RTX 3090Ti and upcoming revisions" if Nvidia didn't open-source its device drivers. [17] [3] On 3 March, the credentials for Nvidia's over 71,000 employees emerged online. [18]

Samsung (2022)

On 4 March 2022, Lapsus$ posted a 190 GB torrent to internal data belonging to phone manufacturer Samsung, including the source code of its Samsung Galaxy line of phones. Samsung confirmed the breach three days later. [19]

Mercado Libre (2022)

On 8 March 2022, Argentinian e-commerce company Mercado Libre confirmed that user data for 300,000 customers had been accessed by Lapsus$; the group also claimed to have access to 24,000 repositories belonging to Mercado Libre. [20]

Ubisoft (2022)

On 10 March 2022, gaming company Ubisoft confirmed that it had experienced a "cyber security incident", although user data had not been accessed. [21]

T-Mobile (2022)

On 17 March 2022, Lapsus$ had gained access to an employee account within the telecommunications company T-Mobile. A prominent member of Lapsus$ going by the pseudonym "White" unsuccessfully attempted to gain access to the T-Mobile accounts of the Federal Bureau of Investigation and the United States Department of Defense. Lapsus$ was, however, able to obtain the source code repositories belonging to T-Mobile. [22]

Microsoft (2022)

On 20 March 2022, Lapsus$ posted a screenshot of the technology company Microsoft's Azure DevOps server to their Telegram channel. The following day, the group released a 37 GB zip file containing, among other things, "90% of the source code for the Bing search engine". [23] [24] [25] [26]

Globant (2022)

On 30 March 2022, Luxembourg-based IT company Globant confirmed its network had been breached by Lapsus$. [27]

Uber (2022)

On 15 September 2022, Uber announced that it had been breached by Lapsus$. [28]

Rockstar Games (2022, 2023)

On 18 September 2022, 90 videos of game footage relating to Grand Theft Auto VI emerged on GTAForums. [29] The hacker is thought to have been affiliated with Lapsus$. [30] On 25 December 2023, additional content obtained from the breach a year prior was reported to have been leaked, including game files for the planned follow-up to Bully , Python code to Grand Theft Auto VI, and the full source code to Grand Theft Auto V, which included hints about planned DLC content for the game. [31]

Interactions

The group used the messaging app Telegram, and the Lapsus$ Telegram channel was used to announce data dumps and to recruit accomplices. As of March 2022, it has nearly 50,000 subscribers. [7] The group posted polls as to which organisation the group should target next. [32]

The FBI made an appeal for information on 21 March 2022. [33]

Composition

According to the indictment, the group's mastermind was Arion Kurtaj, a 16-year-old residing in Oxford, England, with another core member being a teenager in Brazil. [34] [35] [36] A Bloomberg report stated that the group has seven members and was likely formed recently. [37] [34]

Arrests and convictions

On 24 March 2022, seven people aged between 16 and 21 were arrested by the City of London Police in connection to a police investigation into Lapsus$. Arion Kurtaj, a prominent member of the group with the pseudonym White was arrested in Oxford, England. His identity had allegedly previously been disclosed by a former associate, and various groups including research group Unit 221B were reported to have identified him. [38] The prominent member was charged alongside a 17-year-old on 1 April 2022. [39] [35] He was assessed by psychiatrists as unfit to stand trial, [36] but a 7-week court case proceeded until August 2023, and resulted in both the 17-year old and the prominent member being convicted. [10] Kurtaj received an order to indefinitely remain in a secure psychiatric facility. [11]

Analysis

The group's assumed modus operandi was based on obtaining access to a victim organisation's corporate network by acquiring credentials from privileged employees. These credentials were acquired in a number of ways, including recruitment [40] or hacking privileged employees using methods such as SIM swapping. [7] Lapsus$ then used remote desktop or network access to obtain sensitive data, such as customer account details or source code. The group then extorted the victim organisation with threats of disclosing the data. [25] In the conspicuous cases, the data was then subsequently released, and information posted on Telegram.

Lapsus$ has used the social engineering tactic known as a multi-factor authentication fatigue attack in its hack of Uber. [41] [42] [43]

The methods used by Lapsus$ were the subject of a review by the US Cyber Safety Review Board in mid 2023. [5]

Related Research Articles

An internet leak is the unauthorized release of information over the internet. Various types of information and data can be, and have been, "leaked" to the Internet, the most common being personal information, computer software and source code, and artistic works such as books or albums. For example, a musical album is leaked if it has been made available to the public on the Internet before its official release date.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

<span class="mw-page-title-main">Anonymous (hacker group)</span> Decentralized hacktivist group

Anonymous is a decentralized international activist and hacktivist collective and movement primarily known for its various cyberattacks against several governments, government institutions and government agencies, corporations and the Church of Scientology.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat groups, against other countries.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS, and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the C.I.A.

EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability.

<span class="mw-page-title-main">Okta, Inc.</span> American information technology company

Okta, Inc. is an American identity and access management company based in San Francisco. It provides cloud software that helps companies manage and secure user authentication into applications, and for developers to build identity controls into applications, website web services and devices. It was founded in 2009 and had its initial public offering in 2017, being valued at over $6 billion.

Charming Kitten, also called APT35, Phosphorus or Mint Sandstorm, Ajax Security, and NewsBeef, is an Iranian government cyberwarfare group, described by several companies and government officials as an advanced persistent threat.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

ShinyHunters is a criminal black-hat hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

maia arson crimew Swiss hacker (born 1999)

Maia arson crimew, formerly known as Tillie Kottmann, is a Swiss developer and computer hacker. Crimew is known for leaking source code and other data from companies such as Intel and Nissan, and for discovering a 2019 copy of the United States government's No Fly List on an unsecured CommuteAir server. Crimew was also part of a group that hacked into Verkada in March 2021 and accessed more than 150,000 cameras. She is also the founding developer of the Lawnchair application launcher for Android.

Doxbin is a pastebin primarily used by people posting personal data of any person of interest.

References

  1. "DEV-0537 criminal actor targeting organizations for data exfiltration and destruction". Microsoft Security Blog. 22 March 2022. Retrieved 24 March 2022.
  2. "Defending against attacks". Security Insider. Microsoft Security. 22 August 2022. Retrieved 8 October 2022.
  3. 1 2 Goodin, Dan (4 March 2022). "Cybercriminals who breached Nvidia issue one of the most unusual demands ever". Ars Technica. Retrieved 14 March 2022.
  4. Winder, Davey (8 March 2022). "Samsung Confirms Massive Galaxy Hack After 190GB Data Torrent Shared Via Telegram". Forbes. Retrieved 14 March 2022.
  5. 1 2 3 4 "Review of the attacks associated with Lapsus$ and associated threat groups" (PDF). CISA.Gov. US Government Cyber Safety Review Board. Archived (PDF) from the original on 10 August 2023. Retrieved 11 August 2023.
  6. Goodin, Dan (18 November 2023). "The FCC says new rules will curb SIM swapping. I'm pessimistic". Ars Technica. Retrieved 19 November 2023.
  7. 1 2 3 Krebs, Brian (23 March 2022). "A Closer Look at the LAPSUS$ Data Extortion Group". Krebs On Security. Retrieved 24 March 2022.
  8. 1 2 "Brazil health ministry website hit by hackers, vaccination data targeted". Reuters. 11 December 2021. Retrieved 24 March 2022.
  9. Peters, Jay (24 March 2022). "Seven teenagers arrested in connection with the Lapsus$ hacking group".
  10. 1 2 "Lapsus$: Court finds teenagers carried out hacking spree". BBC News. 23 August 2023. Retrieved 23 August 2023.
  11. 1 2 "Lapsus$: GTA 6 hacker handed indefinite hospital order". BBC News. 21 December 2023.
  12. Mari, Angelica (10 December 2021), "Brazilian Ministry of Health suffers cyberattack and COVID-19 vaccination data vanishes", ZDNET , retrieved 27 December 2023
  13. "PF prende brasileiro suspeito de integrar organização criminosa internacional" [Federal Police arrests Brazilian suspected of integrating international criminal organization], gov.br (in Brazilian Portuguese), 19 October 2022, retrieved 27 December 2023
  14. Gatlan, Sergiu (19 October 2022), "Brazil arrests suspect believed to be a Lapsus$ gang member", BleepingComputer, retrieved 27 December 2023
  15. Porter, Jon (22 March 2022). "Okta hack puts thousands of businesses on high alert". The Verge. Retrieved 22 March 2022.
  16. Newman, Lily Hay (28 March 2022). "Leaked Details of the Lapsus$ Hack Make Okta's Slow Response Look More Bizarre". Wired. Retrieved 1 April 2022.
  17. Clark, Mitchell (1 March 2022). "Nvidia says its 'proprietary information' is being leaked by hackers". The Verge.
  18. Gatlan, Sergiu (3 March 2022). "NVIDIA data breach exposed credentials of over 71,000 employees". BleepingComputer. Retrieved 21 September 2022.
  19. Glover, Claudia (7 March 2022). "Is Lapsus$ targeting Big Tech after Samsung breach?". Tech Monitor. Retrieved 14 March 2022.
  20. Sharma, Ax. "E-commerce giant Mercado Libre confirms source code data breach". BleepingComputer. Retrieved 23 March 2022.
  21. Peters, Jay (11 March 2022). "Ubisoft says it experienced a 'cyber security incident', and the purported Nvidia hackers are taking credit". The Verge. Retrieved 14 March 2022.
  22. Krebs, Brian (22 April 2022). "Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code". Krebs on Security. Retrieved 22 April 2022.
  23. Cox, Joseph (21 March 2022). "Microsoft Investigating Claim of Breach by Extortion Gang". Motherboard. Vice. Retrieved 21 March 2022.
  24. Clark, Mitchell; Lawler, Richard; Peters, Jay (22 March 2022). "Microsoft confirms Lapsus$ hackers stole source code via 'limited' access". The Verge. Vox Media. Retrieved 22 March 2022.
  25. 1 2 Abrams, Lawrence. "Lapsus$ hackers leak 37GB of Microsoft's alleged source code". BleepingComputer. Retrieved 23 March 2022.
  26. Newman, Lily Hay (22 March 2022). "'This Is Really, Really Bad': Lapsus$ Gang Claims Okta Hack". Wired. Retrieved 23 March 2022.
  27. Goodin, Dan (30 March 2022). "IT giant Globant discloses hack after Lapsus$ leaks 70GB of stolen data". Ars Technica. Retrieved 31 March 2022.
  28. "Uber says Lapsus$-linked hacker responsible for breach". Reuters. 17 September 2023. Retrieved 17 September 2023.
  29. Kan, Michael (20 September 2022). "Uber Blames Recent Breach on LAPSUS$ Hacking Group". PCMag . Ziff Davis. Archived from the original on 19 September 2022. Retrieved 19 September 2022.
  30. Robinson, Andy (19 September 2022). "Uber 'in contact with the FBI' over potential GTA 6 hacker". Video Games Chronicle . Gamer Network. Archived from the original on 19 September 2022. Retrieved 20 September 2022.
  31. Armughanuddin, Md (25 December 2023). "Rumor: GTA 5 Source Code and Other Rockstar Files Leak Online". Game Rant. Retrieved 26 December 2023.
  32. Newman, Lily Hay (15 March 2022). "The Lapsus$ Hacking Group Is Off to a Chaotic Start". Wired.
  33. "Most Wanted: LAPSUS$". www.fbi.gov. 21 March 2022. Archived from the original on 3 April 2022. Retrieved 5 April 2022.
  34. 1 2 Turton, William; Robertson, Jordan (23 March 2022). "Teen Suspected by Cyber Researchers of Being Lapsus$ Mastermind". Bloomberg. Retrieved 23 March 2022.
  35. 1 2 "16-year-old living with his mom is mastermind behind Lapsus$ Microsoft hack, cyber detectives say". Fortune. Archived from the original on 1 August 2022. Retrieved 8 October 2022.
  36. 1 2 Tobin, Sam (11 July 2023). "Teen hacked Uber, Revolut and Grand Theft Auto maker, London court hears". Reuters. Retrieved 17 July 2023.
  37. Burt, Jeff (17 March 2022). "Lapsus$ gang sends a worrying message to would-be criminals". www.theregister.com.
  38. "Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal". BBC News. 24 March 2022. Retrieved 25 March 2022.
  39. "Lapsus$: Two UK teenagers charged with hacking for gang". BBC News. 1 April 2022.
  40. Paganini, Pierluigi (11 March 2022). "Lapsus$ Ransomware Group is hiring, it announced recruitment of insiders". Security Affairs. Retrieved 23 March 2022.
  41. "MFA Fatigue: Hackers' new favorite tactic in high-profile breaches". BleepingComputer. Retrieved 20 September 2022.
  42. Whittaker, Zack (19 September 2022). "How do you stop another Uber hack?". TechCrunch. Retrieved 20 September 2022.
  43. Goodin, Dan (11 August 2023). "How fame-seeking teenagers hacked some of the world's biggest targets". Ars Technica. Retrieved 11 August 2023.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.