Menu
EN

If you think your data is safer with big corps, you’re wrong: The story of Lapsus$ hacker group

Today we have somewhat of an unusual digest, we're going to talk about a notorious hacker group called Lapsus$ that's responsible for a number of high-profile cases. And if this topic may seem like it has nothing to do with you — it's only at first glance.

Mr. President

In early January this year, Portuguese mediagroup IMPRESA was targeted by hackers. Mediagroup's child companies — TV channel SIC and newspaper Expresso — were hacked. SIC's streaming got cut off, Expresso's Twitter account was hijacked. Appealing to Expresso's 540,000 followers, the hacker group impertinently declared itself the "new president of Portugal".

Lapsus$ tweet under the Expresso account
Source: Cyber etc. Twitter account

Next in line was Localiza, the biggest car rental service in Latin America. Anyone who visited their website got redirected to a porn website.

The hackers could have easily redirected users to a fake website, visually identical to the original, where the unsuspecting visitors would have voluntarily left all their personal data such as bank accounts' details. Like, for example, it happened to the hacked Instagram page of the NFT project Bored Ape Yacht Club. The hackers used the account to display phishing information and managed to steal over $1 million.

But Lapsus$, apparently, were more interested in attacking the big corp rather than in stealing the personal data of ordinary users.

Going big...

But this was only the beginning. The news about the NVIDIA hack shocked everyone. Among the stolen data were:

  • source codes for graphics cards' drivers, including the hashrate limiting technology that makes GPUs less desirable for miners;
  • highly confidential information about microchip design, including unreleased ones;
  • credentials of 71,000 NVIDIA employees;
  • source code for the DLSS rendering system;
  • and official code-signing certificates.

The list is long enough but one would think that at least the attack would only affect NVIDIA itself, its competitors, and, perhaps, miners. But this couldn't be further from reality. The signing certificates that were leaked to the web allow to sign any software as NVIDIA's. Any malefactor could use it to sign their virus, for example, and any computer would recognize this virus as perfectly normal NVIDIA software. This has opened a window for all kinds of perpetrators to circumvent Windows' built-in security systems.

And it didn't take long for the stolen certificates to start popping up in the news.

Stolen NVIDIA certificate
Source: Bleeping computer

...and going even bigger

The group expectantly didn't stop there, its appetites only growing. Samsung was destined to become the next victim. Lapsus$ stole source texts for the loader used in all latest devices, as well as the code responsible for biometrics, authentication, and encryption. In addition, confidential data of Qualcomm, one of Samsung's counterparties, was stolen.

The consequences, especially in the context of Samsung devices' security systems, can be quite disastrous. With high certainty, this data is currently being thoroughly scanned for vulnerabilities, and we can expect to hear about a series of Samsung devices being breached, and sooner rather than later. Evidently, even a single company getting hacked can often lead to more subsequent breaches and more data leakages. We all are forced into picking our poison and "trusting" one company or another with our personal data, but do they deserve this trust?

Meanwhile, Lapsus$ was only starting to gain momentum. Vodafone breach resulted in 200GB of data getting stolen. The company states that user data wasn't affected, and it may well be true, as it hasn't emerged anywhere on the darknet yet and wasn't among the files published by the hackers. It seems that the members of Lapsus$ are more interested in intellectual property than personal data. It doesn't mean that the next big hacker group will have the same preferences, we know plenty of examples when cybercriminals extorted money from regular Internet users. Yes, the sums may be smaller, but the number of potential victims compensates for that.

Gamedev was not spared either. Ubisoft became one of the next targets, and again, the company's data was stolen. We don't know yet what data exactly had been acquired by hackers, but Ubisoft initiated a full password reset for all its employees after the fact. It's unclear what was the hackers' goal this time, it may have simply been a stepping stone for performing larger scale attacks in the future. We can only wait and see if any of the clients' information was stolen too.

There was still room for Lapsus$ to go bigger: Microsoft fell prey next, a lot of source code was stolen, including that of Bing search engine and Cortana voice assistant. Hackers may be keeping the juiciest bites for themselves (e.g. credentials to access infrastructure), but even the share that they have decided to make public is enough to find more vulnerabilities in Microsoft products and exploit them in future breaches.

There are examples when hackers were able to cause some serious damage by gaining access to customer support accounts. Imagine what can be achieved when you have access to security engineers' accounts, know private message history and other details.

What's there to come

But the best illustration to the point we're making today is the breach of the single sign-on provider Okta. To carry out the attack, hackers compromised one of the company's contractors and proceeded to use it to get access to Okta systems. According to the company's statements, hackers stole the laptop of an engineer employed by one of Okta's contractors — talk about secure passwords.

It needs to be mentioned that Okta offers its services to over 15,000 companies around the world. Taking into account the fact that among them there are such giants as Peloton, Sonos, T-Mobile, and even The Federal Communications Commission of the US government, it's a safe bet that we're yet to witness how huge the aftermath of this breach can be.

After Okta, there was Globant breach — a key player in the market of software development consulting․ Around 70GB of data were stolen, and you can see from the screenshot below that among the affected companies are such big names as DHL, Facebook, Apple, C-span, Fortune, Arcserve.

Globant data leak
Source: Lapsus$ Telegram channel

Another counterparty targeted, another case, which scale we'll be able to grasp only in the future. It'll greatly depend on which data exactly had been stolen and what the hackers will decide to do with it.

The prodigy

What makes all of this especially intriguing is the fact that the leader (or how cybersec experts often call him, the mastermind and ideologist) behind the Lapsus$ group allegedly is a 16-year-old teenager. And he's not the only one — according to investigators, some of the other supposed members of the group are teenagers as well, and they often turn their attacks into nothing less than a spectacle. How else would you call hacking and joining Zoom meetings and trolling company representatives? All of this adds spice to the story, but also raises a lot of questions to the hacked corporations and their security systems.

If you thought that we're done and there's nothing else to top the above mentioned breaches, here's another one: Apple and Meta voluntarily transferred user data to hackers who impersonated police representatives. The malefactors managed to hijack a police email account, which opened the door to sending urgent inquiries to obtain all kinds of confidential information, and Meta and Apple duly obliged. Despite the fact that the incident only recently got publicity, and that a different group called Recursion Team was responsible, Lapsus$ leader has employed similar techniques. Part of the Recursion Team's roster even (presumably) joined Lapsus$ later under different nicknames when the original group was disbanded.
And the argument that user data wasn't truly compromised doesn't fly with this breach's case. Ask yourself: do you really want to let the government and megacorps know everything about you?

Conclusion

Quite an impressive record for a group that was founded towards the very end of 2021, isn't it? And we haven't even listed all of their achievements. As you could see, smallish companies and tech giants from the top-10s in their respective fields, all fell victim to a bunch of teenagers with laptops. It's hard to convince yourself that they all were cutting costs at the expense of security. Nonetheless, they were all proven to be absolutely susceptible to hacker attacks.

The entire Lapsus$ story is a perfect example to dispel the myth that the bigger the company, the safer your data is with it. As it turns out, those giant corporations often present the juiciest bite. Companies' employees have access to your data, and with a little help from hackers, it may end up in the wrong hands so very easily. So when you're about to say "I've got nothing to hide anyway" the next time, think twice.

Liked this post?
18,382 18382 user reviews
Excellent!

AdGuard for Windows

AdGuard for Windows is more than an ad blocker. It is a multipurpose tool that blocks ads, controls access to dangerous sites, speeds up page loading, and protects children from inappropriate content.
By downloading the program you accept the terms of the License agreement
Read more
18,382 18382 user reviews
Excellent!

AdGuard for Mac

AdGuard for Mac is a unique ad blocker designed with macOS in mind. In addition to protecting you from annoying ads in browsers and apps, it shields you from tracking, phishing, and fraud.
By downloading the program you accept the terms of the License agreement
Read more
18,382 18382 user reviews
Excellent!

AdGuard for Android

AdGuard for Android is a perfect solution for Android devices. Unlike most other ad blockers, AdGuard doesn't require root access and provides a wide range of app management options.
By downloading the program you accept the terms of the License agreement
Read more
18,382 18382 user reviews
Excellent!

AdGuard for iOS

The best iOS ad blocker for iPhone and iPad. AdGuard eliminates all kinds of ads in Safari, protects your privacy, and speeds up page loading. AdGuard for iOS ad-blocking technology ensures the highest quality filtering and allows you to use multiple filters at the same time
By downloading the program you accept the terms of the License agreement
Read more
18,382 18382 user reviews
Excellent!

AdGuard VPN

74 locations worldwide

Access to any content

Strong encryption

No-logging policy

Fastest connection

24/7 support

Try for free
By downloading the program you accept the terms of the License agreement
Read more
18,382 18382 user reviews
Excellent!

AdGuard Content Blocker

AdGuard Content Blocker will eliminate all kinds of ads in mobile browsers that support content blocker technology — namely, Samsung Internet and Yandex.Browser. While being more limited than AdGuard for Android, it is free, easy to install and still provides high ad blocking quality.
By downloading the program you accept the terms of the License agreement
Read more
18,382 18382 user reviews
Excellent!

AdGuard Browser Extension

AdGuard is the fastest and most lightweight ad blocking extension that effectively blocks all types of ads on all web pages! Choose AdGuard for the browser you use and get ad-free, fast and safe browsing.
18,382 18382 user reviews
Excellent!

AdGuard Assistant

A companion browser extension for AdGuard desktop apps. It offers an in-browser access to such features as custom element blocking, allowlisting a website or sending a report.
18,382 18382 user reviews
Excellent!

AdGuard DNS

AdGuard DNS is a foolproof way to block Internet ads that does not require installing any applications. It is easy to use, absolutely free, easily set up on any device, and provides you with minimal necessary functions to block ads, counters, malicious websites, and adult content.
18,382 18382 user reviews
Excellent!

AdGuard Home

AdGuard Home is a network-wide software for blocking ads & tracking. After you set it up, it’ll cover ALL your home devices, and you don’t need any client-side software for that. With the rise of Internet-Of-Things and connected devices, it becomes more and more important to be able to control your whole network.
18,382 18382 user reviews
Excellent!

AdGuard Pro for iOS

AdGuard Pro has much to offer on top of the excellent iOS ad blocking in Safari already known to the users of the regular version. By providing access to custom DNS settings, the app allows you to block ads, protect your kids from adult content online, and safeguard your personal data from theft.
By downloading the program you accept the terms of the License agreement
Read more
18,382 18382 user reviews
Excellent!

AdGuard for Safari

Ad blocking extensions for Safari are having hard time since Apple started to force everyone to use the new SDK. AdGuard extension is supposed to bring back the high quality ad blocking back to Safari.
18,382 18382 user reviews
Excellent!

AdGuard Temp Mail

A free temporary email address generator that keeps you anonymous and protects your privacy. No spam in your main inbox!
18,382 18382 user reviews
Excellent!

AdGuard for Android TV

AdGuard for Android TV is the only app that blocks ads, guards your privacy, and acts as a firewall for your Smart TV. Get warnings about web threats, use secure DNS, and benefit from encrypted traffic. Relax and dive into your favorite shows with top-notch security and zero ads!
Downloading AdGuard To install AdGuard, click the file indicated by the arrow Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, drag the AdGuard icon to the "Applications" folder. Thank you for choosing AdGuard! Select "Open" and click "OK", then wait for the file to be downloaded. In the opened window, click "Install". Thank you for choosing AdGuard!
Install AdGuard on your mobile device