May 4, 2022 By Jonathan Reed 2 min read

The cyber criminal organization LAPSUS$ has claimed responsibility for a number of high-profile attacks. Did they give away too much in their bragging? It could be since the City of London police say they have arrested seven teenagers in relation to the gang.

Meanwhile, a 16-year-old from Oxford who goes by the handle ‘White’ or ‘Breachbase’ has been named by rival threat actors and researchers as being connected with LAPSUS$. It has not been confirmed if White was among those arrested.

On the LAPSUS$ Telegram channel, the group has boasted about breaching brands such as Microsoft, NVIDIA, Samsung, Mercado Libre, Vodafone and, more recently, Ubisoft. The rival attackers allege White made up to $14M from his individual attacks.

Highly disruptive LAPSUS$ threat

LAPSUS$ is a particularly disruptive group known for unusual activity, such as polling their subscribers about “What should we leak next?”. The group recently offered three options. The first was to leak 200GB worth of Vodafone source code. The second choice was the source code and databases of Portuguese media corporation Impresa. Lastly, they offered to leak the source code for MercadoLibre and MercadoPago, both Argentinian e-commerce companies.

Apparently, the gang doesn’t make empty threats. In the Samsung incident, LAPSUS$ actors posted a 190GB torrent file to their Telegram channel. The group claimed the file contained confidential source code that exposed Samsung device security systems. The compromised systems reportedly included smartphone biometric authentication algorithms and bootloader source code to bypass OS controls.

On March 24, Microsoft confirmed that the LAPSUS$ group had also breached its company. Threat actors posted a torrent file containing partial source code from Bing, Bing Maps and Cortana. The attackers breached a single employee’s account, granting them “limited access” to Microsoft’s systems and allowing source code theft. According to Microsoft, the attack did not compromise customer code or data.

Attacks and counterattacks

In the NVIDIA attack, parts of the company were offline for two days. Attackers also managed to exfiltrate around 1TB of sensitive data. That included files like GPU driver and GPU firmware source codes. Later, LAPSUS$ threatened to “help mining and gaming community” by leaking a bypass solution for the Lite Hash Rate GPU hash rate limiter. The rogue actors then announced that the full LHR V2 workaround for anything between GA102-GA104 was for sale.

Later, the gang allegedly leaked password hashes from “all NVIDIA employees”. They threatened to release another terabyte of data unless the company paid “a fee”.

In another twist to the story, NVIDIA allegedly struck back at LAPSUS$ and encrypted a virtual machine the attacker group uses. LAPSUS$ stated they had backup files installed.

Teenage LAPSUS$ leader doxxed

According to the BBC report, a rival attacker website doxxed White after an apparent dispute. The rivals posted White’s real name, address and social media pictures. The BBC also reports that the rival group posted a synopsis about White, saying: “After a few years his net worth accumulated to well over 300BTC [close to $14m]… [he] now is affiliated with a wannabe ransomware group known as ‘Lapsus$’, who has been extorting & ‘hacking’ several organizations.”

As reported by Bloomberg, cybersecurity researchers have been tracking White for nearly a year and linked him to LAPSUS$ and other attacks.

“We’ve had his name since the middle of last year and we identified him before the doxxing,” said Allison Nixon, chief research officer at cybersecurity investigation company Unit 221B.

Only time will tell if the recent arrest will bring a halt to criminal activity associated with the LAPSUS$ operation.

More from News

DHS establishes Artificial Intelligence Safety and Security Board

3 min read - As part of its commitment to addressing the rapid growth and adoption of AI technology across all industries and sectors, the Department of Homeland Security (DHS) announced the establishment of the Artificial Intelligence Safety and Security Board in late April. The Board’s first meeting is planned for early May when they will begin the task of focusing on how to develop and deploy AI technology within the United States’ critical infrastructure safely and securely. Based on the DHS Homeland Threat…

White House cements CISA’s role as national coordinator for cybersecurity

2 min read - In 2013, the Obama Administration rolled out "The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience", a forerunner to the Cybersecurity and Infrastructure Security Agency (CISA), created "to strengthen and maintain secure, functioning and resilient critical infrastructure." The directive was groundbreaking in 2013, noting the importance of the rising risk of cyberattacks against critical infrastructure. But as cyber risks are constantly shifting, every cybersecurity program needs to be re-evaluated, and CISA is no exception. That’s why, in April 2024,…

Debate rages over DMCA Section 1201 exemption for generative AI

3 min read - The Digital Millennium Copyright Act (DMCA) is a federal law that protects copyright holders from online theft. The DMCA covers music, movies, text and anything else under copyright. The DMCA also makes it illegal to hack technologies that copyright owners use to protect their works against infringement. These technologies can include encryption, password protection or other measures. These provisions are commonly referred to as the “Anti-Circumvention” provisions or “Section 1201”. Now, a fierce debate is brewing over whether to allow…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today