May 4, 2022 By Jonathan Reed 2 min read

The cyber criminal organization LAPSUS$ has claimed responsibility for a number of high-profile attacks. Did they give away too much in their bragging? It could be since the City of London police say they have arrested seven teenagers in relation to the gang.

Meanwhile, a 16-year-old from Oxford who goes by the handle ‘White’ or ‘Breachbase’ has been named by rival threat actors and researchers as being connected with LAPSUS$. It has not been confirmed if White was among those arrested.

On the LAPSUS$ Telegram channel, the group has boasted about breaching brands such as Microsoft, NVIDIA, Samsung, Mercado Libre, Vodafone and, more recently, Ubisoft. The rival attackers allege White made up to $14M from his individual attacks.

Highly disruptive LAPSUS$ threat

LAPSUS$ is a particularly disruptive group known for unusual activity, such as polling their subscribers about “What should we leak next?”. The group recently offered three options. The first was to leak 200GB worth of Vodafone source code. The second choice was the source code and databases of Portuguese media corporation Impresa. Lastly, they offered to leak the source code for MercadoLibre and MercadoPago, both Argentinian e-commerce companies.

Apparently, the gang doesn’t make empty threats. In the Samsung incident, LAPSUS$ actors posted a 190GB torrent file to their Telegram channel. The group claimed the file contained confidential source code that exposed Samsung device security systems. The compromised systems reportedly included smartphone biometric authentication algorithms and bootloader source code to bypass OS controls.

On March 24, Microsoft confirmed that the LAPSUS$ group had also breached its company. Threat actors posted a torrent file containing partial source code from Bing, Bing Maps and Cortana. The attackers breached a single employee’s account, granting them “limited access” to Microsoft’s systems and allowing source code theft. According to Microsoft, the attack did not compromise customer code or data.

Attacks and counterattacks

In the NVIDIA attack, parts of the company were offline for two days. Attackers also managed to exfiltrate around 1TB of sensitive data. That included files like GPU driver and GPU firmware source codes. Later, LAPSUS$ threatened to “help mining and gaming community” by leaking a bypass solution for the Lite Hash Rate GPU hash rate limiter. The rogue actors then announced that the full LHR V2 workaround for anything between GA102-GA104 was for sale.

Later, the gang allegedly leaked password hashes from “all NVIDIA employees”. They threatened to release another terabyte of data unless the company paid “a fee”.

In another twist to the story, NVIDIA allegedly struck back at LAPSUS$ and encrypted a virtual machine the attacker group uses. LAPSUS$ stated they had backup files installed.

Teenage LAPSUS$ leader doxxed

According to the BBC report, a rival attacker website doxxed White after an apparent dispute. The rivals posted White’s real name, address and social media pictures. The BBC also reports that the rival group posted a synopsis about White, saying: “After a few years his net worth accumulated to well over 300BTC [close to $14m]… [he] now is affiliated with a wannabe ransomware group known as ‘Lapsus$’, who has been extorting & ‘hacking’ several organizations.”

As reported by Bloomberg, cybersecurity researchers have been tracking White for nearly a year and linked him to LAPSUS$ and other attacks.

“We’ve had his name since the middle of last year and we identified him before the doxxing,” said Allison Nixon, chief research officer at cybersecurity investigation company Unit 221B.

Only time will tell if the recent arrest will bring a halt to criminal activity associated with the LAPSUS$ operation.

More from News

3,000 “ghost accounts” on GitHub spreading malware

3 min read - In the past, cyber criminals directly distributed malware on GitHub using encrypted scripting code or malicious executables. But now threat actors are turning to a new tactic to spread malware: creating ghost accounts. A highly effective malware campaign Check Point Research recently exposed a new distribution-as-a-service (DaaS) network, referred to as the Stargazers Ghost Network, that has been spreading malware on GitHub for at least a year. Because the accounts perform typical activities as well, users did not realize that…

Warren Buffett’s warning highlights growing risk of cyber insurance losses

3 min read - The United States cyber insurance industry continues to see strong profits, according to Fitch Ratings. Average premium increases, meanwhile, have moderated over the last three years: While 2021 saw a 34% jump in premium pricing and costs rose 15% in 2022, increases were under 1% in 2023.As noted by the Fitch Ratings report, "segment underwriting profitability at current levels is unsustainable as cyber insurance pricing is likely to remain flat or down going forward." While this is good news for…

New CISA guidance for organizations adopting Single Sign-On

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) recently conducted a comprehensive study of various small and medium-sized businesses to help identify common challenges and opportunities associated with Single Sign-On (SSO) adoption. SSO has garnered considerable chatter across several industries, especially regarding its ability to improve security while extending a certain level of convenience to employees using this protocol. However, it hasn’t yet been widely adopted as a best practice standard. Some businesses rave about SSO's security benefits, while others are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today