In a tumultuous turn, Lapsus$ also accused Nvidia of “hacking back”—lashing out against the group in retaliation for the attacks. A source close to the Nvidia incident disputed the claims, telling WIRED that the company did not hack back or deploy malware against Lapsus$.
“It’s difficult to say. The only source we’ve had for it is the ransomware group themselves,” says independent security researcher Bill Demirkapi of the claims. “The explanation they gave for how Nvidia hacked back does make sense, but I always take such statements with a grain of salt because Lapsus$ has an incentive to make Nvidia look as bad as possible.”
Nvidia said in a statement that it learned about the breach on February 23 and quickly “further hardened our network, engaged cybersecurity incident response experts, and notified law enforcement.” The company acknowledged that the attackers stole employee authentication credentials and some proprietary data.
In a blithe, even rash move, Lapsus$ also included two sensitive Nvidia code-signing certificates in its leaks. Other attackers quickly abused them to make their malware look more authentic and trustworthy in specific scenarios.
“This group operates on street cred and clout,” says Charles Carmakal, senior vice president and chief technical officer of the cybersecurity firm Mandiant. “They’re bragging to their friends, and if they get money, they’ll take it, but money doesn’t seem to be the sole or primary driver. So a victim company that wants to negotiate with them and may think about paying them likely won’t get the outcome they’re hoping for.”
That thirst for notoriety makes Lapsus$ particularly reckless and disruptive. While they don’t encrypt systems, Lapsus$ has deleted files and virtual machines and generally caused “a whole lot of chaos,” as Carmakal puts it.
A few days after it began leaking Nvidia data, Lapsus$ also announced that it had stolen 190 gigabytes of data from Samsung, including boot-loader source code and algorithms for the Galaxy smartphone line’s biometric authentication system. Samsung confirmed last week that it suffered a breach.
A few days later, Ubisoft joined the fray. “Last week, Ubisoft experienced a cyber security incident that caused temporary disruption to some of our games, systems, and services,” the company wrote in a statement on Thursday. “As a precautionary measure, we initiated a company-wide password reset … There is no evidence any player personal information was accessed or exposed as a by-product of this incident.”
Specific details about the group remain scarce for now. Researchers suspect that Lapsus$ is based in South America, potentially in Brazil, and say it may have a few members in Europe as well, perhaps in Portugal. Lapsus$ doesn’t have a homepage on the dark web for posting samples of leaked data and negotiating with victims. Instead, the gang uses Telegram for most of its public-facing operations in an unorthodox move for ransomware groups.
“One unusual tendency of Lapsus$ is their use of Telegram to broadcast victims’ identities,” Digital Shadows’ Peh says. “Abusing a legitimate tool like Telegram ensures Lapsus$’s data leak channel will see minimum disruption, and their victims’ identities can be exposed to anyone with an internet connection.”