Throughout the digital age, various creators of computer viruses or hacker groups have emerged in the world that more than once have put in check the technological companies or governments, although in the modern era -in addition to Anonymous- there had been no known one that had global relevance, as in the case of this group supposedly led by a young autistic man who accumulates a long list of thefts of information to companies, we talk about hackers known as Lapsus$.
Tech giants, the detonating victims
In 2020, at the beginning of the Covid-19 pandemic, it was announced that the Brazilian Minister of Health had been the victim of hacks, although no perpetrators were reported.
Subsequently, in 2021 firms such as Claro, Embratel, Net and Localiza were victims of a moderate group of hackers called Lapsus$ who would become known around the world in 2022, derived from attacks on technological giants.
Something curious about Lapsus$ is that in its beginnings they had a group in Telegram in which surveys were carried out on which companies to attack, in addition to disseminating the links with all the information and recruiting possible technological employees.
At the end of February 2022, the news began to spread that Nvidia, one of the most important graphics card companies, had been the victim of a numerous information theft which was self-attributed at that time to a barely known group called Lapsus$.
Nvidia first reported that it was in the process of investigating an incident where its security had been breached that had depleted its system for about two days, generating interruptions in email systems and development tools. Later it was announced that the “loot” obtained by the hackers was more than 70,000 credentials of employees of the company, in addition to obtaining source codes of drivers and important products, such as the RTX 3090 Ti, which will be launched in the coming months and whose information was used to extort money from the firm.
Later more attacks were announced, now it was Samsung, the company of cell phones, screens and other electronic products reported an incident of theft of information that escalated to 189.93GB of information, among which the source code of Galaxy devices and internal information stood out.
While Samsung acknowledged the leak, it said it did not compromise information about personal data of employees or users.
The list of companies hacked by Lapsus$ continued with Mercado Libre where according to information from the company itself more than 24 thousand repositories of information from approximately 300 thousand accounts of the source code of the page were breached.
However, at the end of April 2022 it was announced that more people were actually affected than had been calculated, so the e-commerce page continued to communicate to users about it.
As if this wasn’t enough to get on the radar, the attacks continued, with Ubisoft reporting a breach against it and Microsoft subsequently announcing the same with rumors that the hacker group had been able to access the source code of Bing and Cortana.
In the case of the firm founded by Bill Gates, it was later announced that Lapsus$ obtained up to 37GB of information from Microsoft, of which, it highlighted 90 percent of the source code of the Bing search engine and 45 percent of the virtual voice assistant Cortana. As in previous attacks, hackers posted on Telegram some of the information they obtained. In addition, they attacked the Firm Okla, which, from the beginning, minimized the attack and sought to avoid leaks.
Despite the long list of companies, it should be noted that these attacks occurred in about a month. The last one was released by T-Mobile, who confirmed just a few days ago that “many weeks ago” they had an intervention in their digital facilities, although cybercriminals could not obtain valuable data because there was an additional verification to the stolen credentials that hackers had used to access.
Despite this, they were able to get the T-Mobile source code and even access to a tool called Atlas, which manages accounts. However, the firm says that no customer or government information was compromised.
How do they operate?
According to the specialized media TitanHq, the modus operandi of Lapsus$ has to do with an introduction of a ransomware through a phishing attack, through which they can access high-level internal systems and thus access control panels and social media accounts.
Since its creation they have been in continuous activity through Telegram, where they have placed from surveys about the victims to attack to recruit employees of various technology companies to whom they even offer money in exchange for their credentials.
Another crucial point is that, according to specialists, Lapsus$ goes beyond simple extortion or a quick profit, its targets have to do with a specific field: technology companies.
They captured some of those responsible in London; group is inactive
In late March, the BBC reported that seven teenagers in London were arrested for allegedly having connections to Lapsus$. This came to refute the theory that was based on their first attacks, which pointed out that the group was Latin American.
In total, local police captured seven people between the ages of 16 and 21, which, it is assumed, was related to the hiring of private investigators by the affected companies to track down the hackers.
Within the information that transcended, it was assured that the person responsible behind Lapsus$ is a 16-year-old teenager originally from Oxford known as “White” who has autism and has a background in various communities of hackers, such as the fact that he bought a website called Doxbin, which was used to publish personal information of various individuals.
However, users disagreed with White’s administration, so they leaked his personal information and his “resume” as a hacker, which includes the accumulation of more than 300 bitcoins and his affiliation to Lapsus$.
Finally, the London police announced that two teenagers of the seven detainees had been prosecuted on five charges against them, among which are unauthorized access to a computer with the aim of affecting the reliability of the data, false representation and unauthorized access to a PC with the aggravating circumstance of obstruction of access to information.
Since the legal processing, the Lapsus$ Telegram has remained inactive and only new data on actions prior to the arrests have been obtained.