[German]The Lapsus$ group has been causing a furore with spectacular hacks since the beginning of 2022. Nvidia, Samsung, Microsoft, Okta are names of companies that come up in this context as victims. Security researchers believe they have unmasked members of these groups. Mastermind is said to be a 16-year-old from Oxford, UK. But a teenager from Brazil is also suspected to be part of the gang.
I have reported on the hacks of the Lapsus$ group several times in recent days – see links at the end of the article. The Lapsus$ group has confused cyber security experts with a series of hacks on prominent names of big companies. Microsoft explains at some length in this article how the Lapsus$ attackers (called DEV-0537 there) go about hacking companies and organizations. Given the high-profile targets, I thought it was only a matter of time before individual actors would fall into the net of the investigators.
Now the news site Bloomberg reports in this article that some of the master minds behind the group have been exposed. Four security researchers have investigated a series of attacks by the hacker group Lapsus$ on technology companies, including Microsoft Corp and Nvidia Corp, on behalf of the companies under attack. The cyber researchers used forensic evidence from the hacks, as well as publicly available information, to identify and name the perpetrators.
16-year-old teenager from Oxford
Security researchers were able to trace the attacks back to a 16-year-old who lives in his mother's house near Oxford, England. The name of the hacker, who goes by the online pseudonyms "White" and "breachbase", was not disclosed. The reason: the person is probably still a minor and has not yet been publicly accused of wrongdoing by law enforcement authorities.
Currently, experts believe the teenager to be the mastermind of the Lapsus$ gang. However, security researchers have not been able to clearly link the teenager to every hack that Lapsus$ has claimed.
Second teenager located in Brazil
According to Bloomberg, the security researchers were able to identify another suspected member of the group. According to the investigators, this member is probably a teenager residing in Brazil. The teenager is so adept at hacking – and so fast – that investigators initially thought the activities they observed were automated, one of the people in charge of the matter told Bloomberg.
Another person investigating the group's activities told Bloomberg that security researchers identified seven unique accounts linked to the hacking group. This suggests that more people are likely involved in the group's operations.
Money and fame as motivation?
The group's mode of operation is to hack companies, then steal data from there and demand a ransom from the victims. Without ransom payment, the hackers threaten to publish the data. The hackers have even used zoom calls with the victims for negotiations.
The motivation behind the attacks is still unclear, but some cyber security researchers believe the group is motivated by money and celebrity, says Bloomberg. However, according to two security researchers, the guys look bad at covering up their operations. According to the researchers, the group suffers from a lack of operational security. This allowed cyber security companies to gain intimate knowledge about the teenage hackers.
Microsoft is tracking the activities of Lapsus$ as "DEV-0537" and writes in a blog post that the group successfully recruited insiders in the affected companies to help with the hacks. Microsoft goes on to say:
Unlike most activity groups that stay under the radar, DEV-0537 does not seem to cover its tracks. They even go so far as to announce their attacks on social media or announce their intention to buy credentials from employees of the targeted organizations.
DEV-0537 initially targeted organizations in the UK and South America, but has expanded to global targets including organizations in government, technology, telecommunications, media, retail and healthcare. The personal details of the teenage hacker from the UK, including his address and information about his parents, were posted online by rival hackers.
Bloomberg writes that the leaked records list a modest terraced house on a quiet side street near Oxford (5 miles away). A Bloomberg reporter was able to speak with the boy's mother for 10 minutes via intercom at the front door. The woman said she had no knowledge of the allegations against her son or of the leaked material. The mother declined to comment further, pointing out that it's a matter for law enforcement and she would be contacting the police.
Meanwhile, in the wake of the Okta hack, there are indications that the hackers are planning to take some time off. The Telegram channel says of the group:
A few of our members are on holiday until 3/30/2022. We may be quiet for some time. Thank you for understanding us. We will try to leak the material as soon as possible.
It remains to be seen what else will come out and whether the information from Bloomberg will be confirmed.
Addendum: Brian Krebs published this article on Lapsus$ with various information that sheds further light on the matter. Allison Nixon, chief research officer at Unit 221B, a New York-based cybersecurity consulting firm that closely tracks cybercriminals involved in SIM swapping, has contributed more information. Working with researchers at security firm Palo Alto Networks, Nixon tracked the activities of individual members of LAPSUS$ before they joined the hacking group. And Nixon was able to debunk the mastermind behind LAPSUS$.
Ubisoft hacked by Lapsus$ cyber gang (March 2022)
Cyber attacks on Nvidia and McDonalds (Feb. 25, 2022)
Samsung bestätigt Hack, Quellcodes durch Lapsus$ geleakt
Lapsus$ allegedly publishes source code of Microsoft Azure, Bing and Cortana
Authentication service OKTA hacked by Lapsus$?
Lapsus$ hacks: statements from Okta and Microsoft
Cookies helps to fund this blog: Cookie settings