In the footsteps of Lapsus$, a group of hackers between extortion and boasting

Seven teenagers were arrested on Thursday, March 24 in the UK, as part of the investigation into Lapsus$, a group of hackers that in recent weeks has claimed responsibility for several high-profile attacks against famous companies, such as Microsoft. , Nvidia or Samsung. These arrests fall when the noose tightens around a young British minor, suspected of being an important member of this group.

Lapsus$ is an unusual gang, to say the least. The largest organized actors specializing in extortion are recruited from specialized forums, mostly Russian-speaking, and only speak in public to put more pressure on their victims. But Lapsus$ has a Telegram channel, where he publicly announces his attacks, posts polls asking readers what data they’d like to see leaked, and even maintains a chaotic “Lapsus$Chat” discussion group full of memes, bad taste and messages apparently written by teenagers fascinated by the group and the illicit aspect of its activities.

On January 11, Lapsus$ is, for example, suspected of having led a little attack against the site of Localiza, a Brazilian car rental dealer, redirect visitors to the porn giant Pornhub.

high profile attacks

In recent months, however, the group has claimed actions whose scale and prestige contrast with the uninhibited tone of their communication and the apparent lightness of their methods. In March, he claimed to have broken into servers belonging to Microsoft. The company later said that only one internal employee account was compromised, quickly detected and that no sensitive information was stolen.

Earlier this month, data from iconic Korean phone group Samsung began appearing on the Lapsus$ Telegram channel: the company confirmed an intrusion, while claiming that customer and employee data was not compromised.

A month earlier, the group had published some of the information stolen from Nvidia, in an attack that the computer hardware manufacturer relativized in the press. Finally, Lapsus$ recently claimed a mid-word attack on Ubisoft, without speaking further on the subject since. The French video game publisher did not respond to requests from the World and referred to a March 10 statement simply reporting a “incident” Computer’s science.

Also read: Ubisoft victim of a computer “incident”, a group of hackers suggests their involvement

Apparently wanting to hold victims to ransom by threatening to post stolen data, the gang seeks to infiltrate the networks of targeted entities, exploit human failings, or buy employee access or accounts on black market platforms such as Genesis. “We know you are looking for VPN access [outils qui permettent aux internautes de masquer leur identité en ligne] or employees who are directly in the companies and who could facilitate their access”explains Narimane Lavay, an expert in threat analysis at the specialized company Sekoia.

password theft

On Telegram, the group even launched calls for contributions, publicly announcing that it was seeking to recruit employees with access to large companies in order to use their identifiers and break into their servers. According to a Microsoft report, Lapsus$ relies on, among other things, password-stealing software and also investigates the numerous data leaks circulating on the Internet. looking for credentials to use. The company adds that the group has also been able to use SIM Swapping, a method that consists of hijacking a person’s phone number, to reset passwords, for example.

The group’s methods question the real motivations of its members. At the time of the first victims, the negotiations “they were quite long in time: there was an extortion message, then another a few days later (…) and it could last for days, or even longerdetails Livia Tibirna, an expert in threat analysis at Sekoia. Lately, there is no longer a delay between the announcement of the hack and the publication of the data. » An evolution that suggests that the actors involved are also trying to get people talking about them by making prestigious “hits”.

All the experts who have observed this group agree on their amateurism in terms of discretion and protection of their identity. “Unlike most actors who want to keep a low profile, DEV-0537 [le nom donné au groupe par l’entreprise] does not seem to recover its tracks »Microsoft insists in its report. In his analysis, Sekoia reveals that there seems to be a link between Lapsus$ and “4v3”a hacker who claimed, in discussion forums, in July 2021, a major attack on the video game giant Electronic Arts. “Remember our name. Slip$”, wrote in particular. this trick, said by the site Vice, corresponds to the methods attributed to the group, in particular using identifiers acquired on the black market. As Sekoia recalls, a cryptocurrency wallet address linked to the Electronic Arts hack also matches an address found in other extortion attempts attributed to the group.

IN 2021, after a dispute between Lapsus$ and the owners of Doxbin, the group decides to publish a large amount of information belonging to this site used to leak personal data. However, in that mass of data there were elements that identified an alleged member of Lapsus$.

many errors

Nicknamed “White”, he is described as a British teenager still living with his parents. “4v3” and “White” are possibly the same person: according to Sekoia, a certain “doxbinwh1te” has also claimed, in the Exploit pirate forum, the piracy of Electronic Arts, thus seeking to be recruited by cybercriminal groups. This account also mentioned several attacks attributed to Lapsus$, including that of a Brazilian government entity. An expert, interviewed by specialized journalist Brian Krebssupports the thesis Vice.

read also Article reserved for our subscribers Ransomware: How French Authorities Track Cybercriminals

british Police, interviewed on Thursday by the BBC, did not specify if the young man was one of the seven people detained as part of the Lapsus$ investigation. However, the authorities have confirmed that they have identified “Blanco”. “We had his name since the middle of last year”explained an investigator to the BBC, saying that the young man had made many mistakes compromising his identity.

Many questions about Lapsus$ remain unanswered. Several elements suggested that the group operates in part from Latin America, both because of the first victims and because of the language used by the group. “On their Telegram channel they started communicating in Portuguese” in addition to English, explains Narimane Lavay. The identity of the other members of the group also remains unknown, as does their future, as legal pressure mounts. On Wednesday, on its Telegram channel, Lapsus$ announced that some of its members were taking ” holidays “ : “We run the risk of being discreet for a while. »

Leave a Comment