For the past three months, a mysterious hacker gang has been giving Silicon Valley a migraine of epic proportions. LAPSUS$, a band of cybercriminals with unorthodox techniques and a flare for the dramatic, has been on a white hot streakβlining tech companies up and knocking emβ down like bowling pins.
The gangβs targets are big. Microsoft, Samsung, Nvidia, Ubisoft, and, most recently, identity verification firm Okta, have all been smote. Worse, in nearly all these cases, LAPSUS$ wormed its way deep into these corporationsβ networks, where it then stole pieces of source codeβthe digital DNA of proprietary software. After that, the gang almost always leaked the code all over the internet, embarrassing the victim and spilling company secrets into the ether.
The groupβs acumen has led it into the innermost sanctums of multi-billion dollar companies, but some security researchers say that LAPSUS$ may ultimately be composed less of hardened cybercriminals than undisciplined amateurs. A bunch of them are allegedly children. On Thursday, British authorities announced the arrest of seven people said to be connected to the gang. Authorities revealed that the unidentified suspects ranged in age from 16 to 21. The ringleader of the gang is reputed to be a 16-year-old British kid from Oxford. That hacker, who is said to go by the pseudonym βWhite,β appears to have recently had his identity leaked to the internet by a rival cybercrime faction. In short: after a string of victories and a lot of notoriety, things donβt appear to be going particularly well for LAPSUS$.
βUnlike most activity groups that stay under the radar…[LAPSUS$] doesnβt seem to cover its tracks,β said researchers with Microsoftβs Threat Intelligence Center, in a recent blog post. βThey go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations…[the gang] also uses several tactics that are less frequently used by other threat actors tracked by Microsoft.β Yet itβs those very tactics that make the gang so fascinating.
The ransomware gang that wasnβt
Before going on to hack some of Silicon Valleyβs biggest companies, LAPSUS$ spent January of 2022 pulling a whole lot of juvenile cybercrime stuntsβthe likes of which seemed less about making money than having anarchic fun. In one of its first hacks of the year, for instance, the gang attacked a Brazilian car rental company, redirecting the businessβ homepage to a porn website for several hours. During another incident, the gang took over a Portuguese newspaperβs verified Twitter account and tweeted: βLAPSUS$ IS OFFICIALLY THE NEW PRESIDENT OF PORTUGAL.β
G/O Media may get a commission
Up to $1,500 off
Samsung Neo QLED TV 4K (2021)
Quantum Matrix Technology
Experience this brilliantly intense picture powered by a vast array of tiny light cells using exclusive Mini LED designed technology for hyper-focused brightness and dimming in all the right areas.
Early reporting on LAPSUS$ attempted to categorize the group as a βransomware gang,β partially due to its habit of leaking stolen dataβas ransomware gangs are wont to do. Superficially, it might have appeared to be one, but there was just one problem: LAPSUS$ never actually used ransomware.
The gang has operated purely via an extortionist model, eschewing malware altogether. Instead of encrypting victimsβ data, LAPSUS$ just steals itβthen threatens to leak it if its ransom isnβt paid. Itβs an odd, clumsy variation on the ransomware industryβs double extortion modelβwhich uses the twin-threats of data encryption and leakage to goad victims into paying. In general, most ransomware gangs operate like shadow versions of typical corporationsβdeploying fairly organized and sophisticated digital machinery towards theft and extortion.
Conversely, LAPSUS$ has operated like a dysfunctional startup. It has, in some cases, lacked the discipline to even ask for a ransomβopting instead to skip a financial demand and just leak the hacked data for the hell of it. Microsoft security researchers have referred to this style as a βpure extortion and destruction model,β a turn of phrase that aptly describes the groupβs chaotic and not altogether effective modus operandi.
Wreaking mayhem
One area where LAPSUS$ has clearly been successful is intrusionβi.e., its ability to get inside networks and systems. The group has leveraged a number of well-known strategies, including the use of a password-stealing malware called βRedline,β a variety of social engineering ploys, and the purchase of account credentials and session tokens on darknet forums. At the same time, the gang has frequently courted insiders from target companies, attempting to poach them via what amount to online job posting ads. In one case, the alleged leader of the group offered employees at Verizon and AT&T as much as $20,000 a week to defect to his criminal operation and conduct βinside jobs.β
LAPSUS$β varied methods of pwning its targets have been remarkably successful. Its hack of Microsoft, for instance, is believed to have compromised a wealth of data, including 90 percent of the source code for the search engine Bing, as well as nearly half of the source code for Bing Maps and the virtual assistant Cortana. The gangβs attack on Okta, meanwhile, may prove to have implications for companies beyond the identity verification firm itself. Because Okta sells its security services to thousands of other companies, a compromise of its systems has security implications for its clients, too. In an update on Wednesday, Okta admitted that the data of as many as 366 of its clients had been potentially affected by the recent LAPSUS$ attack.
Seeking notoriety
Another indication of the gangβs flashy but potentially reckless tendencies lies in its unique leak vector. LAPSUS$ uses the semi-encrypted chat app Telegramβnot typical of most cybercrime gangs. Most ransomware hackers set up their own βleak sitesβ where they can curate hacked material and threaten to release more if their victim doesnβt pay. The sites are typically sparse and controlled environments.
LAPSUS$, meanwhile, has wielded Telegram and other social media accounts as a kind of megaphoneβa strategy thatβs allowed it to cultivate a louder, more interactive relationship with the public. The gang currently has some 48,000 Telegram followers and actively encourages its onlookers to comment on leaks, correspond with members via email, and generally follow along with the adventures in hacking.
This behavior would seem to reveal that LAPSUS$ enjoys attentionβpotentially even more than they like money, but probably less than they like hacking. That might actually be the groupβs problem: like a lot of rookie criminals, they seem more concerned with adrenaline rushes and the limelight than they are with running an effective money-making operation.
Amateur hour
Cybersecurity analysts who spoke to Gizmodo agree that, despite the list of impressive notches on its belt and its successful intrusion techniques, LAPSUS$ may not run the tightest ship. That is, the gang may be better at hacking than at running a criminal business (this would make a certain amount of sense of the gang is allegedly a bunch of kids). Brett Callow, a threat analyst for cybersecurity firm Emsisoft, said that some of the gangβs behavior clearly shows a lack of efficiency and organization.
βHad the attacks been carried by a more organized cybercrime operation or a state-backed actor, the outcome could have been much worse,β Callow said in an email to Gizmodo. βThatβs not to downplay the threat which groups like LAPSUS$ can represent. The fact that their motivations arenβt necessarily as clearly defined as other cybercrime operations can make them harder to deal with.β
Similarly, Motherboard journalist Joseph Cox has written about his encounters with the gangβthe likes of which range from the bizarre to the outright comical. To hear Cox tell it, LAPSUS$ haplessly reached out to him for help after it hacked EA Games last summer. The gang, which was unsure of how to ask EA for a ransom, seemed to think that because Cox was a journalist he could liaise with the company and βact as a conduitβ for the gangβs financial demands.
Other analysts agree that LAPSUS$ doesnβt really know how to secure a payoutβand may not, in fact, even be interested in one. βLAPSUS$ has a history of making unrealistic demands in exchange for its stolen data,β threat researchers with SecurityScorecard recently wrote in a blog post.
βLAPSUS$ doesnβt seem to be able to determine an appropriate ransom amount for the data it has stolen, nor does it appear to give its victims much time to negotiate a payment in exchange for not leaking information,β they added, explaining that, in reality, the group βmay not be financially motivatedβ at all. LAPSUS$ may be sowing chaos for the thrill of it andΒ βmaking demands knowing that victims wonβt pay, so they can then gain attention and infamy by leaking data from high profile companies,β the researchers wrote.
Doxxed and reported
If the members of LAPSUS$ wanted infamy, they certainly seem to be headed for it. The gangβs happy days of exultant mayhem may now be in the rearview, as law enforcement increasingly closes in. Aside from the rash of arrests that took place Thursday, the gangβs alleged leader also appears to have another problem on his hands: getting doxxed by a rival cybercrime faction.
The hacker in question, who goes by numerous online pseudonyms including βWhite,β βOklaqq,β and βBreachbase,β is alleged to be a 16-year-old kid who lives at home with his mom near Oxford, England. BBC reports that he also has autism and attends a special education school in Oxford. In a brief interview, the suspectβs father apparently admitted that his son spent βa lot of time on the computerβ but βthought he was playing gamesβ or something. In January, the alleged hackerβs rivals released what they said were his real name and other identifying details via Doxbin, a controversial website that is specifically used to leak personal details about people. In a post on the site, the doxxers said βWhiteβ owned over 300 Bitcoins, which would amount to a net worth of nearly $14 million. They called LAPSUS$ a βwannabe ransomware group.β
According to Allison Nixon, chief research officer of cybersecurity firm Unit 221B, βWhiteβ was doxxed due to his prior business relationship with the operators of Doxbin. When Gizmodo asked her about the purported leak of the hackerβs identity, Nixon affirmed that a βrival criminal groupβ had ended up βfinding and publishingβ the suspectβs personal information. According to Nixon, Doxbin was actually purchased by βWhiteβ at some point, but he ended up being an ineffective administrator. As apparent revenge for letting the site βfall into neglect,β the former owners regained control of Doxbin, then decided to dox βWhiteβ for his shoddy management practices, Nixon says.
Gizmodo has viewed screenshots of the Doxbin post, but we are notΒ disclosing the details that purport to identify him.
Nixon also told Gizmodo that her company had been working with a number of other cybersecurity firms for the better part of a year to track the activities of βWhite,β and that, as early as mid-2021, they had uncovered the hackerβs real identity and subsequently reported him to police. Itβs unclear whether law enforcement has been investigating the gang since that time or why it took so long for suspects to be arrested.