ZP Enterprises

Cyber Security with a flare

Tag: LAPSUS$ crew

The Lapsus$ Hacking Group Is Off to a Chaotic Start

Threat Actor Group Lapsus$

RANSOMWARE GANGS HAVE become well-oiled moneymaking machines in their quest for criminal profit. But since December, a seemingly new group called Lapsus$ has added chaotic energy to the field, cavorting about with a solid social media presence on Telegram, a string of high-profile victims—including Samsung, Nvidia, and Ubisoft—calamitous leaks, and dramatic accusations that add up to a reckless escalation in an already unlawful industry.

What makes Lapsus$ noteworthy is that the group isn’t a ransomware gang. Instead of exfiltrating data, encrypting target systems, and then threatening to leak the stolen information unless the victim pays up, Lapsus$ seems to focus exclusively on data theft and extortion. The group gains access to victims through phishing attacks, then steals the most sensitive data it can find without deploying data-encrypting malware.

“It’s all been quite erratic and unusual,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “I sense that they are a talented but inexperienced operation. Whether they seek to expand and bring on affiliates or keep it small and lean remains to be seen.”

Lapsus$ emerged just a few months ago, at first focused almost exclusively on Portuguese-language targets. In December and January, the group hacked and attempted to extort Brazil’s health ministry, the Portuguese media giant Impresa, the South American telecoms Claro and Embratel, and Brazilian car rental company Localiza, among others. In some cases, Lapsus$ also mounted denial-of-service attacks against victims, making their sites and services unavailable for some time.

Even in those early campaigns, Lapsus$ got creative; it set Localiza’s website to redirect to an adult media site for a couple of hours until the company could revert it.

“Remember: The only goal is money; our reasons are not political,” Lapsus$ wrote in its Telegram channel in early December. And when the group announced its Nvidia breach on Telegram at the end of February, it added, “Please note: We are not state-sponsored, and we are not in politics AT ALL.”

Researchers say, though, that the truth about the gang’s intentions is murkier. Unlike many of the most prolific ransomware groups, Lapsus$ seems to be more of a loose collective than a disciplined, corporatized operation. “At this point it’s difficult to say with certainty what the group’s motivations are,” says Xue Yin Peh, a senior cyber-threat intelligence analyst at Digital Shadows. “There are no indications yet that the group uses ransomware to extort victims, so we can’t confirm that they’re financially motivated.”

This group operates on street cred and clout.

Lapsus$ breached Nvidia in mid-February, stealing 1 terabyte of data, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code for an Nvidia AI rendering system called DLSS, and the usernames and passwords of more than 71,000 Nvidia employees. The group threatened to release more and more data if Nvidia didn’t meet a series of unusual demands. At first, the gang told the chipmaker to remove an anti-crypto-mining feature called Lite Hash Rate from its GPUs. Then Lapsus$ demanded that the company release specific drivers for its chips.

“The focus on cryptocurrency mining suggests that the group may ultimately be financially driven. However, they are certainly taking a different approach than other groups in soliciting financial rewards,” Digital Shadows’ Peh says.

In a tumultuous turn, Lapsus$ also accused Nvidia of “hacking back”—lashing out against the group in retaliation for the attacks. A source close to the Nvidia incident disputed the claims, telling WIRED that the company did not hack back or deploy malware against Lapsus$.

“It’s difficult to say. The only source we’ve had for it is the ransomware group themselves,” says independent security researcher Bill Demirkapi of the claims. “The explanation they gave for how Nvidia hacked back does make sense, but I always take such statements with a grain of salt because Lapsus$ has an incentive to make Nvidia look as bad as possible.”

Nvidia said in a statement that it learned about the breach on February 23 and quickly “further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.” The company acknowledged that the attackers stole employee authentication credentials and some proprietary data.

In a blithe, even rash move, Lapsus$ also included two sensitive Nvidia code-signing certificates in its leaks. Other attackers quickly abused them to make their malware look more authentic and trustworthy in specific scenarios.

“This group operates on street cred and clout,” says Charles Carmakal, senior vice president and chief technical officer of the cybersecurity firm Mandiant. “They’re bragging to their friends, and if they get money, they’ll take it, but money doesn’t seem to be the sole or primary driver. So a victim company that wants to negotiate with them and may think about paying them likely won’t get the outcome they’re hoping for.”

That thirst for notoriety makes Lapsus$ particularly reckless and disruptive. While they don’t encrypt systems, Lapsus$ has deleted files and virtual machines and generally caused “a whole lot of chaos,” as Carmakal puts it.

A few days after it began leaking Nvidia data, Lapsus$ also announced that it had stolen 190 gigabytes of data from Samsung, including boot-loader source code and algorithms for the Galaxy smartphone line’s biometric authentication system. Samsung confirmed last week that it suffered a breach.

A few days later, Ubisoft joined the fray. “Last week, Ubisoft experienced a cyber security incident that caused temporary disruption to some of our games, systems, and services,” the company wrote in a statement on Thursday. “As a precautionary measure, we initiated a company-wide password reset … There is no evidence any player personal information was accessed or exposed as a by-product of this incident.”

Specific details about the group remain scarce for now. Researchers suspect that Lapsus$ is based in South America, potentially in Brazil, and say it may have a few members in Europe as well, perhaps in Portugal. Lapsus$ doesn’t have a homepage on the dark web for posting samples of leaked data and negotiating with victims. Instead, the gang uses Telegram for most of its public-facing operations in an unorthodox move for ransomware groups.

“One unusual tendency of Lapsus$ is their use of Telegram to broadcast victims’ identities,” Digital Shadows’ Peh says. “Abusing a legitimate tool like Telegram ensures Lapsus$’s data leak channel will see minimum disruption, and their victims’ identities can be exposed to anyone with an internet connection.”

One of Lapsus$’s trademark antics is to run polls on its Telegram channel where onlookers can vote for whose data the gang should publish next.

“It’s very reminiscent of the Lulzsec folks and even Anonymous back in the day,” Mandiant’s Carmakal says of the two hacktivist collectives that rose to prominence in the early 2010s. “Those folks had political motivations, or pretended to, but were also doing it for the fame and glory, and Lulzsec, in particular, was more overt about doing it for fun. With Lapsus$ it’s dangerous for people to do for fun, and they will be arrested at some point in time.”

In the meantime, the question for Big Tech is, who will be in Lapsus$’s crosshairs next? It seems that no target is too big or influential to be out of reach—and that the demands may be just as hard to predict.