Seven teenagers were arrested Thursday, March 24, in the United Kingdom, as part of the investigation into Lapsus$, a group of hackers who in recent weeks have claimed responsibility for several high-profile attacks against famous companies, such as Microsoft, Nvidia or Samsung. These arrests fall as the noose tightens around a young British minor, suspected of being an important member of this group.
Lapsus$ is an atypical gang, to say the least. The largest organized actors specializing in extortion recruit on specialized forums, most often Russian-speaking, and only speak publicly to put more pressure on their victims. But Lapsus$ runs a Telegram channel, on which it publicly announces its hacks, publishes polls asking readers what data they would like to see leaked, and even maintains a chaotic discussion group, ” Lapsus$Chat”, filled with memes, bad taste jokes and messages apparently written by teenagers fascinated by the group and the illicit aspect of its activities.
On January 11, Lapsus$ is, for example, suspected of having carried out a small-scale attack against the site of Localiza, a Brazilian rental car dealership, redirecting visitors to the porn giant Pornhub.
High profile attacks
In recent months, however, the group has claimed actions whose scale and prestige contrast with the uninhibited tone of its communication and the apparent lightness of its methods. In March, he claimed to have broken into servers belonging to Microsoft. The company later said that only an internal employee account was compromised, quickly spotted, and no sensitive information was stolen.
Earlier this month, data from iconic Korean telephony group Samsung began to appear on Lapsus$’s Telegram channel: the company confirmed an intrusion, while claiming that customer and employee data were not compromised.
A month earlier, the group had partly published information stolen from Nvidia, in an attack that the hardware manufacturer put into perspective in the press. Finally, Lapsus$ recently claimed half-word an attack against Ubisoft, without speaking further on the subject since. The French video game publisher did not respond to requests from the World and referred to a March 10 statement simply reporting a “incident” computer science.
The gang, which seems to want to hold its victims to ransom by threatening to publish stolen data, is seeking to infiltrate the networks of the targeted entities, exploit human flaws or buy access or employee accounts on platforms from the black market, like Genesis. “We know they are looking for VPN access [outils qui permettent aux internautes de masquer leur identité en ligne] or employees who are directly in the companies and who could provide them with access”explains Narimane Lavay, expert in threat analysis in the specialized company Sekoia.
Theft of passwords
On Telegram, the group even launched calls for contributions, publicly announcing that it was seeking to recruit employees with access to large companies to be able to use their identifiers and break into their servers. According to a Microsoft report, Lapsus$ relies, among other things, on password-stealing software, and also searches the numerous data leaks circulating on the Internet in search of identifiers to use. The company adds that the group has also been able to use SIM Swapping, a method which consists of hijacking a person’s telephone number, in order to reset passwords, for example.
The group’s methods question the real motivations of its members. At the time of the first victims, the negotiations “were quite long in time: there was an extortion message, then another a few days later (…) and it could last for days, or even moredetails Livia Tibirna, expert in threat analysis at Sekoia. Lately, there is no longer a delay between the announcement of the hack and the publication of the data. » An evolution that suggests that the actors involved are also seeking to get people talking about them by making prestigious “coups”.
All the experts who have observed this group agree on its amateurism in terms of discretion and the protection of their identity. “Unlike most actors who want to stay under the radar, DEV-0537 [le nom donné au groupe par l’entreprise] does not seem to make up its tracks », insists Microsoft in its report. In its analysis, Sekoia reveals that a link seems to exist between Lapsus$ and “4c3”, a hacker who claimed, on discussion forums, in July 2021, a major attack against the video game giant Electronic Arts. “Remember our name. Slip$”, he wrote in particular. This hack, told by the site Vice, corresponds to the methods attributed to the group, in particular using identifiers purchased on the black market. As Sekoia recalls, a cryptocurrency wallet address linked to the Electronic Arts hack also matches an address found in other extortion attempts attributed to the group.
IN 2021, following a quarrel between Lapsus$ and the owners of Doxbin, the group decides to publish a large amount of information belonging to this site used to leak personal data. However, in this mass of data were elements identifying an alleged member of Lapsus$.
Nicknamed “White”, he is described as a British teenager still living with his parents. “4c3” and “White” are possibly the same person: according to Sekoia, a certain “doxbinwh1te” has also claimed, on the Exploit hacker forum, the hacking of Electronic Arts, thus seeking to be recruited by cybercriminal groups. This account also mentioned several attacks attributed to Lapsus$, including that of a Brazilian government entity. An expert, interviewed by specialized journalist Brian Krebs, confirms the thesis of Vice.
The British police, questioned Thursday by the BBC, did not specify whether the young man was one of the seven people arrested as part of the investigation into Lapsus$. However, authorities have confirmed that they have identified “White”. “We had his name since the middle of last year”explained an investigator to the BBC, saying that the young man had made many mistakes compromising his identity.
Many questions surrounding Lapsus$ remain unanswered. Several elements suggested that the group operates partly from Latin America, due both to the first victims and to the language used by the group. “On their Telegram channel, they started by communicating in Portuguese” in addition to English, explains Narimane Lavay. The identity of the other members of the group also remains unknown, as does its future, as legal pressure mounts. On Wednesday, on its Telegram channel, Lapsus$ announced that some of its members were taking ” vacation “ : “We risk being discreet for a while. »