Recently, the Lapsus$ hacker group has been on the front pages of IT publications around the world. These guys blackmailed Nvidia, leaked the source codes of Microsoft, Ubisoft, Samsung, and also compromised Okta. As the media and experts now report, the leader of this hacking group is a 17-year-old teenager from the UK who was recently arrested by the authorities.

Hacks and ransoms

The Lapsus$ group first made itself known a few months ago, in December 2021, when, after a hack, it demanded a ransom from the Brazilian Ministry of Health. However, hackers began to get to the front pages of the media later after compromising the pillars of the IT industry.

As VPNBrains security experts note, Lapsus$ differs from other ransomware groups in that it does not encrypt its victims' files. It penetrates the company's network, gains access to important files, steals them, and then threatens to leak data if it is not paid a ransom.

Lapsus$ did not have its own leak site where ransomware gangs usually publish or sell their victims' data. All leaks and communication with the public took place on the hackers' Telegram channel, which had more than 52,000 subscribers, or by email. The stolen data was also distributed via torrents.

In total, nineteen companies and organizations have become victims of Lapsus$. Fifteen of them are located in Latin America and Portugal. Let us take a look at the most high-profile hacks that have made the group famous in just three months:

  • Nvidia: Lapsus$ stole 71,000 employee credentials, source code, and other secret information from a hardware maker, including code-signing certificates. The hackers demanded that the company open the sources of all its GPU drivers and disable the LHR (Lite Hash Rate) mechanism on video cards, with which the manufacturer limits the mining potential of its hardware.

  • Samsung: The group stole confidential data, including the source code associated with the operation of Galaxy smartphones, eventually publishing approximately 190GB of data.

  • Microsoft: Hackers have made public some of the source code for Bing, Cortana, and other Microsoft products allegedly stolen from an internal Microsoft Azure DevOps server. 

  • Okta: According to official info, this provider of access and identity management systems was also breached. The hack affected approximately 2.5% of Okta's customers. Lapsus$ had access to Okta's administrative consoles and customer data, apparently by compromising the machine of one of the support staff.

Methods and tactics 

According to analysts, to bypass anti-ransomware software, hackers were mainly focused on obtaining compromised credentials for initial access to corporate networks. They obtained logins and passwords using social engineering and other methods:

  • Deployment of Redline malware that steals credentials and session tokens.

  • Deployment of phone tracker apps.

  • Buying credentials on underground forums.

  • Bribing employees of target organizations (as well as suppliers and business partners) to get access to credentials and multifactor authentication.

  • Searching for credentials in public data breach repositories.

  • Exploiting various software vulnerabilities that appear due to the lack of proper patch management.

For accounts using multifactor authentication, the group used session replay attacks or literally flooded the victim with notifications until the user got tired of them and allowed the login.

In some cases, hackers first compromised personal (non-work-related) accounts and then looked for additional credentials that could be used to gain access to corporate systems.

After gaining access to the network, attackers used Active Directory Explorer to find higher privileged accounts. They then attacked development and collaboration platforms such as Confluence, SharePoint, JIRA, Microsoft Teams, and Slack, also stealing credentials. These logins and passwords were eventually used to gain access to the GitHub, GitLab, and Azure DevOps repositories.

The attackers collected valuable information and transferred it using a VPN (to hide their location) while at the same time carrying out destructive attacks on the victim's infrastructure.

Lapsus$ is also known to exploit vulnerabilities in JIRA, Confluence, and GitLab for privilege escalation.

Hackers have been recruiting insiders through various forums and social media since at least November 2021. One of the principal members of Lapsus$, wrote on Reddit last year that he was looking for employees, offering insiders from AT&T, Verizon, and T-Mobile up to 20,000 USD a week for some not very legal work. 

Lapsus$ also used SIM swapping in their attacks to gain access to key accounts in targeted organizations. In such cases, the attackers bribed or tricked the mobile operator employees into transferring to them the victim's mobile phone number. This aspect seems to have helped to deanonymize some members of the hacking group. Allison Nixon, chief scientist at Unit 221B, an information security consulting company that closely monitors SIM-swapping hackers shared some very interesting information on this matter.

Arrests

After the publication of all studies, the media reported that the London police arrested seven people aged 16 to 21 years old in connection with the investigation into the activities of a hacker group. All of them are currently under investigation. Interestingly, the arrests coincided with the announcement that several members of Lapsus$ were going on vacation for a while.

Information security experts believe that the leader of the hacking group, WhiteDoxbin, is the same person who last year bought the long-standing site Doxbin, where anyone could post personal information about their victims or find someone's personal data among hundreds of thousands of people who have previously been doxed.

Apparently, the alleged leader of the group was among those arrested. Among those arrested, there was a 17-year-old teenager from Oxford who has an autism spectrum disorder. His father told the BBC that he did not know what his son was doing.

If any of the readers are surprised by the talents of a 16-year-old (at that time) teenager, let me remind you that this is not such a rare case. For example, in mid-June 2020, Twitter suffered the most massive attack in its history. As it soon became apparent, Graham Ivan Clark, a 17-year-old teenager from the state of Florida, known online under the pseudonym Kirk, was the ideological inspirer and organizer of this attack.