The curious identify LAPSUS$ made enormous headlines in March 2022 because the nickname of a hacking gang, or, in unvarnished phrases, because the label for a infamous and lively collective of cybercriminals:
The identify was considerably uncommon for a cybercrime crew, who generally undertake soubriquets that sound edgy and damaging, equivalent to DEADBOLT, Devil, Darkside, and REvil.
As we talked about again in March, nevertheless, lapsus is pretty much as good a contemporary Latin phrase as any for “knowledge breach”, and the trailing greenback signal signifies each monetary worth and programming, being the standard means of denoting that BASIC variable is a textual content string, not a quantity.
The gang, staff, crew, posse, collective, gaggle, name it what you’ll, of attackers apparently offered the same type of ambiguity of their cybercriminality.
Typically, they appeared to indicate that they had been severe about extorting cash or ripping off cryptocurrency from their victims, however at however at different instances they appeared merely to be displaying off.
Microsoft admitted on the time that it had been infiltrated by LAPSUS$, although the software program big referred to the group as DEV-5037, with the criminals apparently stealing gigabytes of supply code.
Okta, a 2FA service supplier, was one other high-profile sufferer, the place the hackers acquired RDP entry to an help techie’s pc, and had been due to this fact in a position to entry a variety of Okta’s inside techniques as in the event that they had been logged in on to Okta’s personal community.
That help techie didn’t work for Okta, however for an organization contracted by Okta, in order that the attackers had been basically in a position to breach Okta’s community with out breaching Okta itself.
Intriguingly, despite the fact that Okta’s breach occurred in January 2022, neither Okta nor its contractor made any public admission of the breach for about two months, whereas a forensic examination passed off…
…till LAPSUS$ apparently determined to pre-empt any official announcement by dumping screenshots to “show” the breach, paradoxically on the exact same day that Okta obtained the ultimate forensic report from the contractor (how, or if, LAPSUS$ received advance warning of the report’s supply is unknown):
Subsequent on the assault docket was graphics chip vendor Nvidia, who apparently additionally suffered an information heist, adopted by one of many weirdest ransomware-with-a-difference extortion calls for on report – open-source your graphics driver code, or else:
As we stated within the Bare Safety podcast (S3 Ep73):
Usually, the connection between cryptocurrency and ransomware is the crooks determine, “Go and purchase some cryptocurrency and ship it to us, and we’ll decrypt all of your information and/or delete your knowledge.” […]
However on this case, the reference to cryptocurrency was they stated, “We’ll overlook all in regards to the huge quantity of knowledge we stole for those who open up your graphics playing cards in order that they will cryptomine at full energy.”
As a result of that goes again to a change that Nvidia made final 12 months [2021], which was very fashionable with avid gamers [by discouraging cryptominers from buying up all the Nvidia GPUs on the market for non-graphics purposes].
A distinct type of cybercriminal?
For all that the net actions attributed to LAPSUS$ have been significantly and unashamedly legal, the group’s post-exploitation behaviour usually appeared reasonably old-school.
Not like right now’s multimillion-dollar ransomware attackers, whose main motivations are cash, cash and more cash, LAPSUS$ apparently aligned extra carefully with the virus-writing scene of the late Nineteen Eighties and Nineties, the place assaults had been generally carried out merely for bragging rights and “for the lulz”.
(The phrase for the lulz interprets roughly as with a view to provoke insultingly mirthful laughter, primarily based on the acronym LOL, quick for “laughing out loud”.)
So, when the Metropolis of London Police introduced, simply two days after the not-so-mirthful-at-all screenshots of the Okta assault appeared, that it had arrested what seemed like a motley bunch of children within the UK for allegedly being members of a hacking group…
…the world’s IT media shortly made a reference to LAPSUS$:
So far as we’re conscious, UK legislation enforcement has by no means used the phrase LAPSUS$ in reference to the suspects in that arrest, noting again in March 2022 merely that “our enquiries stay ongoing.”
However, an obvious hyperlink with LAPSUS$ was inferred from the truth that one of many children busted was stated to be 17 years previous, and to hail from Oxfordshire in England.
Fascinatingly, a hacker of that age who allegedly lived in a city simply outdoors Oxford, town from which the encircling county will get its identify, had been outed by a disgruntled cybercrime rival not lengthy earlier than, in what’s often known as a doxxing.
Doxxing is the place a cybercriminal releases stolen private paperwork and particulars on function, usually with a view to put a person prone to arrest by legislation enforcement, or in peril of retribution by ill-informed or malevolent opponents.
The doxxer leaked what he claimed was his rival’s residence deal with, along with private particulars and photographs of him and shut relations, in addition to a bunch of allegations that he was some type of linchpin within the LAPSUS$ crew.
LAPUS$ again within the highlight
As you’ll be able to think about, the current Uber hacking tales revived the identify LAPSUS$, on condition that the attacker in that case was extensively claimed to be 18 years previous, and was apparently solely considering displaying off:
As Chester Wisniewski defined in a current podcast minisode:
[I]n this case, […] it appears to be “for the lulz”. […T]he one who did it was principally amassing trophies as they bounced by the community – within the type of screenshots of all [the] completely different instruments and utilities and packages that had been in use round Uber – and posting them publicly, I assume for the road cred.
Shortly after the Uber hack, practically an hour’s value of what gave the impression to be video clips from the forthcoming recreation GTA6, apparently display screen captures made for debugging and testing functions, had been leaked following an intrusion at Rockstar video games.
As soon as once more, the identical younger hacker, with the identical presumed connection to LAPSUS$, was implicated within the assault.
This time, stories recommend that the hacker had extra in thoughts merely than bragging rights, allegedly saying that they had been “seeking to negotiate a deal.”
So, when Metropolis of London Police tweeted earlier this week that that they had “arrested a 17-year-old in Oxfordshire on suspicion of hacking”…
On the night of Thursday 22 September 2022, the Metropolis of London Police arrested a 17-year-old in Oxfordshire on suspicion of hacking, as a part of an investigation supported by the @NCA_UK’s Nationwide Cyber Crime Unit (NCCU).
He stays in police custody. pic.twitter.com/Zfa3OlDR6J
— Metropolis of London Police (@CityPolice) September 23, 2022
…you’ll be able to think about what conclusions the Twittersphere shortly reached.
It should be the identical particular person!
In any case, what’s the prospect that we’re speaking about two completely different and unconnected suspects right here?
The one factor we don’t know is sort of the place the LAPSUS$ moniker comes into it, if certainly it’s concerned in any respect.
O, what a tangled internet we weave/When first we practise to deceive.
LEARN HOW TO AVOID LAPSUS$-STYLE ATTACKS
Click on-and-drag on the soundwaves under to skip to any level. You too can pay attention immediately on Soundcloud.
