In the footsteps of Lapsus$, a group of hackers between extortion and bragging rights

Seven teenagers were arrested Thursday, March 24, in the United Kingdom as part of an investigation into Lapsus$, a group of hackers who have claimed responsibility for several high-profile attacks against high-profile companies such as Microsoft, Nvidia or Samsung in recent weeks. These arrests are halted when a noose is tightened around a young British minor suspected of being an important member of the group.

Lapsus$ is, to put it mildly, an atypical gang. The largest organized figures specializing in extortion recruit on specialized forums, most often Russian-speaking, and publicly speak out only in order to put more pressure on their victims. But Lapsus$ has a Telegram channel where he publicly announces his hacks, posts polls asking readers what data they’d like to see leaked, and even maintains a chaotic “Lapsus$Chat” discussion group filled with memes. tasteless jokes. and messages clearly written by teenagers fascinated by the group and the illegal aspect of its activities.

For example, on January 11, Lapsus$ is suspected of a small-scale attack on the website of Localiza, a Brazilian car rental agency that redirects visitors to the porn giant Pornhub.

High class attacks

In recent months, however, the group has been touting activities whose scale and prestige contrast with the relaxed tone of its communication and the apparent ease of its methods. In March, he claimed to have hacked servers owned by Microsoft. The company later said that only the employee’s internal account was compromised, which was quickly located, and no sensitive information was stolen.

Earlier this month, data from the iconic Korean phone group Samsung began to surface on the Lapsus$ Telegram channel: the company confirmed the intrusion, while saying that customer and employee data had not been compromised.

A month earlier, the group partially released information stolen from Nvidia in an attack that the hardware maker released to the press. Lastly, Lapsus$ recently stated the attack on Ubisoft in a half-word, and hasn’t said much on the subject since. The French video game publisher did not respond to inquiries from Peace and referred to the March 10 statement simply reporting “incident” Informatics.

Read also: Ubisoft was the victim of a computer “incident”, a group of hackers assume their involvement

The gang, which seems to want to ransom its victims by threatening to release the stolen data, seeks to infiltrate the networks of targeted organizations, exploit human flaws, or buy access or employee accounts on black market platforms like Genesis. “We know they are looking for VPN access [outils qui permettent aux internautes de masquer leur identité en ligne] or employees who are directly in the companies and who could give them access”explains Narimane Lawai, a threat intelligence expert at specialist company Sekoia.

Password theft

On Telegram, the group even launched a call for donations, publicly stating that it seeks to hire employees with access to large companies in order to be able to use their IDs and hack into their servers. According to a Microsoft report, Lapsus$ is using password stealing software, among other things, as well as looking for identifiers to use in numerous data breaches circulating on the Internet. The company adds that the group was also able to use SIM spoofing, a method that involves capturing a person’s phone number to reset passwords, for example.

The group’s methods call into question the real motives of its members. At the time of the first casualties negotiations “were quite a long time: there was a message about extortion, then a few days later (…) and it can last for days or moresays Livia Tibyrna, Threat Intelligence Expert at Sekoia. Recently, there is no longer a delay between the announcement of a hack and the publication of data. » An evolution that suggests that the actors involved also aim to get people talking about them by performing prestigious “flips”.

All experts who have observed this group agree with its amateurishness in terms of confidentiality and the protection of their identity. “Unlike most actors who want to go unnoticed, DEV-0537 [le nom donné au groupe par l’entreprise] doesn’t seem to cover his tracks.”, Microsoft insists in its report. In its analysis, Sekoia shows that there is a link between Lapsus$ and “4c3”, the hacker who claimed on discussion forums in July 2021 that there was a major attack on video game giant Electronic Arts. “Remember our name. Slip$”, – he wrote in particular. This hack told by the site Vice, is consistent with the methods attributed to the group, in particular using identifiers purchased on the black market. As Sekoia recalls, the cryptocurrency wallet address associated with the Electronic Arts hack also matches an address found in other extortion attempts attributed to the group.

In 2021, after a quarrel between Lapsus$ and the owners of Doxbin, the group decides to release a large amount of information belonging to this site, which is used to leak personal data. However, there were elements in this mass of data that identified the alleged member of Lapsus$.

A lot of mistakes

Nicknamed “White”, he is described as a British teenager still living with his parents. “4c3” and “White” may be the same person: according to Sekoia, a certain “doxbinwh1te” also reported on the Exploit pirate forum about EA piracy, thus seeking to be recruited by cybercriminal groups. This account also mentions several attacks attributed to Lapsus$, including an attack on a Brazilian government agency. An expert interviewed by profile journalist Brian Krebs confirms the thesis Vice.

Read also Article reserved for our subscribers Ransomware: How the French Authorities Track Cybercriminals

British police, questioned on Thursday by the BBC, did not specify if the young man was one of seven people arrested as part of the Lapsus$ investigation. However, the authorities confirmed that they had identified “White”. “We have had his name since the middle of last year”– the BBC investigator explained, stating that the young man made many mistakes that compromised his personality.

Many questions related to Lapsus$ remain unanswered. Several elements have suggested that the group operates in part from Latin America, both because of the initial casualties and because of the language used by the group. “In their Telegram channel, they started by talking in Portuguese” besides English, explains Narimane Lavai. The identity of the group’s other members also remains unknown, as does its future as legal pressure intensifies. Lapsus$ announced on its Telegram channel on Wednesday that some of its members are taking ” vacation “ : “We risk being cautious for a while. »

Leave a Comment