Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

Lapsus$

From Wikipedia, the free encyclopedia
International hacker group

Lapsus$
LAPSUS$ Logo, 2024
Formation2021
FounderArion Kurtaj
TypeCybercrime gang
HeadquartersUnknown
Region
International
MethodsSpearphishing,SIM swapping, recruitment of accomplices via social media,extortion,hacking
Membership7 (March 2022 estimate)
Official language
English
AffiliationsUnknown

Lapsus$, stylised asLAPSUS$ and classified byMicrosoft asStrawberry Tempest,[1] is an internationalextortion-focused[2]hacker group known for its variouscyberattacks against companies and government agencies.[3][4] The group was active in several countries, and has had its members arrested in Brazil and the UK in 2022.[5] According toCity of London Police at least two of the members were teenagers.

Lapsus$ uses a variety of attack vectors, includingsocial engineering,MFA fatigue,SIM swapping,[6] and targeting suppliers. Once the group has gained the credentials to a privileged employee within the target organisation, the group then attempts to obtain sensitive data through a variety of means, including usingremote desktop tools. Attempts at extortion follow. Initially, the messaging appTelegram had been used for communications to the public, including recruitment and posting sensitive data from their victims.[7]

The first major cyberattack attributed to Lapsus$ was against theBrazilian Health Ministry's computer systems in December 2021.[8] Lapsus$ gained notoriety for a series of cyberattacks against large tech companies, includingMicrosoft,Nvidia, andSamsung. Following these attacks, theCity of London Police announced that it had made seven arrests in connection to a police investigation into Lapsus$.[9] Although the group had been considered inactive by April 2022, it is believed to have re-emerged in September 2022 with a series of data breaches against various large companies through a similar attack vector, includingUber andRockstar Games, with subsequent arrests again by City of London Police, and Brazilian police.[5] The group appears to have become inactive after September 2022, with members perhaps dispersing to other groups,[5] and the conviction of two British members.[10] One of the group's founding members, Arion Kurtaj, was given an order to indefinitely remain in a securepsychiatric facility.[11]

Attacks

[edit]

Brazil's Ministry of Health (2021)

[edit]

The first known cyberattack committed by Lapsus$ was against Brazil'sMinistry of Health. The Ministry of Health website was taken down on Friday, 10 December around 1 AM. Lapsus$ left a message, "Contact us if you want your data back", along with their Telegram and e-mail addresses on the homepage of the website of the ministry[8] after exfiltrating and deleting 50 TB of data on internal servers. By Friday afternoon the message had been removed, but the website and user data in the "ConecteSUS" app, which provides Brazilians with COVID vaccination certificates, remained unavailable, causing disruption for travelers.[12]

Okta (2022)

[edit]

On 21 January 2022, Lapsus$ had gained access into the servers of identity and access management companyOkta through the compromised account of a third-party customer support engineer. Okta confirmed the breach on 25 January 2022.[13][14] Based on the final forensic report, Okta's Chief Security Officer David Bradbury said the attack only impacted two active customers. Okta began investigating claims of a hack after Lapsus$ shared screenshots in a Telegram channel implying they had breached Okta's customer networks. Initially, Okta said that a Lapsus$ hacker obtained Remote Desktop (RDP) access to a Sitel support engineer's laptop over "a five-day window" between January 16 and January 21.

Nvidia (2022)

[edit]

On 23 February 2022, technology companyNvidia became aware of a breach into its systems. Lapsus$ claimed to have a terabyte of data from Nvidia, and threatened to release the "complete silicon, graphics, and computer chipset files for all recent NVIDIA GPUs, including the RTX 3090Ti and upcoming revisions" if Nvidia didn't open-source itsdevice drivers.[15][3] On 3 March 2022 the credentials for Nvidia's over 71,000 employees emerged online.[16]

Samsung (2022)

[edit]

On 4 March 2022, Lapsus$ posted a 190 GBtorrent to internal data belonging to phone manufacturerSamsung, including the source code of itsSamsung Galaxy line of phones. Samsung confirmed the breach three days later.[17]

Mercado Libre (2022)

[edit]

On 8 March 2022, Argentinian e-commerce companyMercado Libre confirmed that user data for 300,000 customers had been accessed by Lapsus$; the group also claimed to have access to 24,000repositories belonging to Mercado Libre.[18]

Ubisoft (2022)

[edit]

On 10 March 2022, gaming companyUbisoft confirmed that it had experienced a "cyber security incident", although user data had not been accessed.[19]

T-Mobile (2022)

[edit]

On 17 March 2022, Lapsus$ had gained access to an employee account within the telecommunications companyT-Mobile. A prominent member of Lapsus$ going by the pseudonym "White" unsuccessfully attempted to gain access to the T-Mobile accounts of theFederal Bureau of Investigation and theUnited States Department of Defense. Lapsus$ was, however, able to obtain the source code repositories belonging to T-Mobile.[20]

Microsoft (2022)

[edit]

On 20 March 2022, Lapsus$ posted a screenshot of the technology companyMicrosoft'sAzureDevOps server to theirTelegram channel. The following day, the group released a 37 GB zip file containing, among other things, "90% of the source code for theBing search engine".[21][22][23][24]

Globant (2022)

[edit]

On 30 March 2022,Luxembourg-based IT companyGlobant confirmed its network had been breached by Lapsus$.[25]

Uber (2022)

[edit]

On 15 September 2022,Uber announced that it had been breached by Lapsus$.[26]

Rockstar Games (2022)

[edit]
See also:Grand Theft Auto VI § Leaks

On 18 September 2022, 90 videos of game footage relating toGrand Theft Auto VI emerged onGTAForums.[27] The hacker is thought to have been affiliated with Lapsus$.[28] On 25 December 2023, additional content obtained from the breach a year prior was reported to have been leaked, including game files for the planned follow-up toBully,Python code toGrand Theft Auto VI, and the fullsource code to Grand Theft Auto V, which included hints about plannedDLC content for the game.[29]

Interactions

[edit]

The group used the messaging appTelegram, and the Lapsus$ Telegram channel was used to announce data dumps and to recruit accomplices. As of March 2022, it has nearly 50,000 subscribers.[7] The group posted polls as to which organisation the group should target next.[30]

TheFBI made an appeal for information on 21 March 2022.[31]

Composition

[edit]

According to the indictment, the group's mastermind was Arion Kurtaj, a 16-year-old residing inOxford, England, with another core member being a teenager in Brazil.[32][33][34] ABloomberg report stated that the group has seven members and was likely formed recently.[35][32]

Arrests and convictions

[edit]

On 24 March 2022, seven people aged between 16 and 21 were arrested by theCity of London Police in connection to a police investigation into Lapsus$. Arion Kurtaj, a prominent member of the group with the pseudonymWhite was arrested in Oxford, England. His identity had allegedly previously beendisclosed by a former associate, and various groups including research groupUnit 221B were reported to have identified him.[36] The prominent member was charged alongside a 17-year-old on 1 April 2022.[37][33] He was assessed by psychiatrists as unfit to stand trial,[34] but a 7-week court case proceeded until August 2023, and resulted in both the 17-year old and the prominent member being convicted.[10] Kurtaj received an order to indefinitely remain in a securepsychiatric facility.[11]

On October 19, 2022, a Brazilian citizen believed to be a Lapsus$ member was arrested by the police inFeira de Santana,Bahia and subsequently accused of the attacks on the Brazil Ministry of Health and other cybercrimes after "Operation Dark Cloud". Lapsus$ also targeted dozens of other organizations and entities from the Brazilian Federal Government, including the Ministry of Economy, the Comptroller General of the Union, and the Federal Highway Police.[38][39] The data appears permanently deleted.[citation needed]

Analysis

[edit]

The group's assumedmodus operandi was based on obtaining access to a victim organisation's corporate network by acquiring credentials from privileged employees. These credentials were acquired in a number of ways, including recruitment[40] or hacking privileged employees using methods such asSIM swapping.[7] Lapsus$ then usedremote desktop or network access to obtain sensitive data, such as customer account details or source code. The group then extorted the victim organisation with threats of disclosing the data.[23] In the conspicuous cases, the data was then subsequently released, and information posted on Telegram.

Lapsus$ has used thesocial engineering tactic known as amulti-factor authentication fatigue attack in its hack of Uber.[41][42][43]

The methods used by Lapsus$ were the subject of a review by the USCyber Safety Review Board in mid 2023.[5]

References

[edit]
  1. ^"DEV-0537 criminal actor targeting organizations for data exfiltration and destruction".Microsoft Security Blog. 22 March 2022. Retrieved24 March 2022.
  2. ^"Defending against attacks".Security Insider.Microsoft Security. 22 August 2022. Retrieved8 October 2022.
  3. ^abGoodin, Dan (4 March 2022)."Cybercriminals who breached Nvidia issue one of the most unusual demands ever".Ars Technica. Retrieved14 March 2022.
  4. ^Winder, Davey (8 March 2022)."Samsung Confirms Massive Galaxy Hack After 190GB Data Torrent Shared Via Telegram".Forbes. Retrieved14 March 2022.
  5. ^abcd"Review of the attacks associated with Lapsus$ and associated threat groups"(PDF).CISA.Gov. US Government Cyber Safety Review Board.Archived(PDF) from the original on 10 August 2023. Retrieved11 August 2023.
  6. ^Goodin, Dan (18 November 2023)."The FCC says new rules will curb SIM swapping. I'm pessimistic".Ars Technica. Retrieved19 November 2023.
  7. ^abcKrebs, Brian (23 March 2022)."A Closer Look at the LAPSUS$ Data Extortion Group".Krebs On Security. Retrieved24 March 2022.
  8. ^ab"Brazil health ministry website hit by hackers, vaccination data targeted".Reuters. 11 December 2021. Retrieved24 March 2022.
  9. ^Peters, Jay (24 March 2022)."Seven teenagers arrested in connection with the Lapsus$ hacking group".
  10. ^ab"Lapsus$: Court finds teenagers carried out hacking spree".BBC News. 23 August 2023. Retrieved23 August 2023.
  11. ^ab"Lapsus$: GTA 6 hacker handed indefinite hospital order".BBC News. 21 December 2023.
  12. ^Mari, Angelica (10 December 2021),"Brazilian Ministry of Health suffers cyberattack and COVID-19 vaccination data vanishes",ZDNET, retrieved27 December 2023
  13. ^Porter, Jon (22 March 2022)."Okta hack puts thousands of businesses on high alert".The Verge. Retrieved22 March 2022.
  14. ^Newman, Lily Hay (28 March 2022)."Leaked Details of the Lapsus$ Hack Make Okta's Slow Response Look More Bizarre".Wired. Retrieved1 April 2022.
  15. ^Clark, Mitchell (1 March 2022)."Nvidia says its 'proprietary information' is being leaked by hackers".The Verge.
  16. ^Gatlan, Sergiu (3 March 2022)."NVIDIA data breach exposed credentials of over 71,000 employees".BleepingComputer. Retrieved21 September 2022.
  17. ^Glover, Claudia (7 March 2022)."Is Lapsus$ targeting Big Tech after Samsung breach?".Tech Monitor. Retrieved14 March 2022.
  18. ^Sharma, Ax."E-commerce giant Mercado Libre confirms source code data breach".BleepingComputer. Retrieved23 March 2022.
  19. ^Peters, Jay (11 March 2022)."Ubisoft says it experienced a 'cyber security incident', and the purported Nvidia hackers are taking credit".The Verge. Retrieved14 March 2022.
  20. ^Krebs, Brian (22 April 2022)."Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code".Krebs on Security. Retrieved22 April 2022.
  21. ^Cox, Joseph (21 March 2022)."Microsoft Investigating Claim of Breach by Extortion Gang".Motherboard. Vice. Retrieved21 March 2022.
  22. ^Clark, Mitchell; Lawler, Richard; Peters, Jay (22 March 2022)."Microsoft confirms Lapsus$ hackers stole source code via 'limited' access".The Verge. Vox Media. Retrieved22 March 2022.
  23. ^abAbrams, Lawrence."Lapsus$ hackers leak 37GB of Microsoft's alleged source code".BleepingComputer. Retrieved23 March 2022.
  24. ^Newman, Lily Hay (22 March 2022)."'This Is Really, Really Bad': Lapsus$ Gang Claims Okta Hack".Wired. Retrieved23 March 2022.
  25. ^Goodin, Dan (30 March 2022)."IT giant Globant discloses hack after Lapsus$ leaks 70GB of stolen data".Ars Technica. Retrieved31 March 2022.
  26. ^"Uber says Lapsus$-linked hacker responsible for breach".Reuters. 17 September 2023. Retrieved17 September 2023.
  27. ^Kan, Michael (20 September 2022)."Uber Blames Recent Breach on LAPSUS$ Hacking Group".PCMag.Ziff Davis.Archived from the original on 19 September 2022. Retrieved19 September 2022.
  28. ^Robinson, Andy (19 September 2022)."Uber 'in contact with the FBI' over potential GTA 6 hacker".Video Games Chronicle.Gamer Network.Archived from the original on 19 September 2022. Retrieved20 September 2022.
  29. ^Armughanuddin, Md (25 December 2023)."Rumor: GTA 5 Source Code and Other Rockstar Files Leak Online".Game Rant. Retrieved26 December 2023.
  30. ^Newman, Lily Hay (15 March 2022)."The Lapsus$ Hacking Group Is Off to a Chaotic Start".Wired.
  31. ^"Most Wanted: LAPSUS$".www.fbi.gov. 21 March 2022. Archived fromthe original on 3 April 2022. Retrieved5 April 2022.
  32. ^abTurton, William; Robertson, Jordan (23 March 2022)."Teen Suspected by Cyber Researchers of Being Lapsus$ Mastermind".Bloomberg. Retrieved23 March 2022.
  33. ^ab"16-year-old living with his mom is mastermind behind Lapsus$ Microsoft hack, cyber detectives say".Fortune. Archived fromthe original on 1 August 2022. Retrieved8 October 2022.
  34. ^abTobin, Sam (11 July 2023)."Teen hacked Uber, Revolut and Grand Theft Auto maker, London court hears".Reuters. Retrieved17 July 2023.
  35. ^Burt, Jeff (17 March 2022)."Lapsus$ gang sends a worrying message to would-be criminals".www.theregister.com.
  36. ^"Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal".BBC News. 24 March 2022. Retrieved25 March 2022.
  37. ^"Lapsus$: Two UK teenagers charged with hacking for gang".BBC News. 1 April 2022.
  38. ^"PF prende brasileiro suspeito de integrar organização criminosa internacional" [Federal Police arrests Brazilian suspected of integrating international criminal organization],gov.br (in Brazilian Portuguese), 19 October 2022, retrieved27 December 2023
  39. ^Gatlan, Sergiu (19 October 2022),"Brazil arrests suspect believed to be a Lapsus$ gang member",BleepingComputer, retrieved27 December 2023
  40. ^Paganini, Pierluigi (11 March 2022)."Lapsus$ Ransomware Group is hiring, it announced recruitment of insiders".Security Affairs. Retrieved23 March 2022.
  41. ^"MFA Fatigue: Hackers' new favorite tactic in high-profile breaches".BleepingComputer. Retrieved20 September 2022.
  42. ^Whittaker, Zack (19 September 2022)."How do you stop another Uber hack?".TechCrunch. Retrieved20 September 2022.
  43. ^Goodin, Dan (11 August 2023)."How fame-seeking teenagers hacked some of the world's biggest targets".Ars Technica. Retrieved11 August 2023.

External links

[edit]
Hacking in the 2020s
← 2010sTimeline2030s →
Major incidents
2020
2021
2022
2023
2024
Groups
Individuals
Majorvulnerabilities
publiclydisclosed
Malware
2020
2021
2022


Retrieved from "https://en.wikipedia.org/w/index.php?title=Lapsus$&oldid=1281242546"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2025 Movatter.jp