The curious name LAPSUS$
made huge headlines in March 2022 as the nickname of a hacking gang, or, in unvarnished words, as the label for a notorious and active collective of cybercriminals:
The name was somewhat unusual for a cybercrime crew, who commonly adopt handles that sound edgy and destructive, such as DEADBOLT, Satan, Darkside, and REvil.
As we mentioned back in March, however, lapsus is as good a modern Latin word as any for “data breach”, and the trailing dollar sign signifies both financial value and programming, being the traditional way of denoting that BASIC variable is a text string, not a number.
The gang, team, crew, posse, collective, gaggle, call it what you will, of attackers apparently presented a similar sort of ambiguity in their cybercriminality.
Sometimes, they seemed to show that they were serious about extorting money or ripping off cryptocurrency from their victims, but at other times they seemed simply to be showing off.
Microsoft admitted in March 2022 that it had been infiltrated by LAPSUS$, though the software giant referred to the group as DEV-5037, with the criminals apparently stealing gigabytes of source code.
Okta, a 2FA service provider, was another high-profile victim, where the hackers acquired RDP access to an support techie’s computer, and were therefore able to access a wide range of Okta’s internal systems as if they were logged in directly to Okta’s own network.
The hapless support techie didn’t work for Okta, but for a company contracted by Okta, so the attackers were essentially able to breach Okta’s network without breaching Okta itself.
Intriguingly, even though Okta’s breach happened in January 2022, neither Okta nor its contractor made any public admission of the intrusion for about two months, while a forensic examination took place…
…until LAPSUS$ apparently decided to pre-empt any official announcement by dumping screenshots to “prove” the breach, ironically on the very same day that Okta received the final forensic report from the contractor. (How, or if, LAPSUS$ got advance warning of the report’s delivery is unknown.)
Next on the attack docket was graphics chip vendor Nvidia, who apparently also suffered a data heist, followed by one of the weirdest ransomware-with-a-difference extortion demands on record, warning the company to “open-source your graphics driver code, or else”:
As we said in the Naked Security podcast (S3 Ep73):
Normally, the connection between cryptocurrency and ransomware is the crooks figure, “Go and buy some cryptocurrency and send it to us, and we’ll decrypt all your files and/or delete your data.” […]
But in this case, the connection with cryptocurrency was they said, “We’ll forget all about the massive amount of data we stole if you open up your graphics cards so that they can cryptomine at full power.”
Because that goes back to a change that Nvidia made last year [2021], which was very popular with gamers [by discouraging cryptominers from buying up all the Nvidia GPUs on the market for non-graphics purposes].
A different sort of cybercriminal?
For all that the online activities attributed to LAPSUS$ have been seriously and unashamedly criminal, the group’s post-exploitation behaviour often seemed rather old-school.
Unlike today’s multimillion-dollar ransomware attackers, whose primary motivations are money, money and more money, LAPSUS$ apparently aligned more closely with the virus-writing scene of the late 1980s and 1990s, where even highly destructive attacks were commonly conducted simply for bragging rights and “for the lulz”.
(The phrase for the lulz translates roughly as in order to provoke insultingly mirthful laughter, based on the acronym LOL
, short for “laughing out loud”.)
So, when the City of London Police announced, just two days after the not-so-mirthful-at-all screenshots of the Okta attack appeared, that it had arrested what sounded like a motley bunch of youngsters in the UK for allegedly being members of a hacking group…
…the world’s IT media quickly made a connection with LAPSUS$:
As far as we’re aware, UK law enforcement has never used the word LAPSUS$ in connection with the suspects in that arrest, noting back in March 2022 simply that “our enquiries remain ongoing.”
Nevertheless, an apparent link with LAPSUS$ was inferred from the fact that one of the youngsters busted was said to be 17 years old, and to hail from Oxfordshire in England.
Fascinatingly, a hacker of that age who allegedly lived in a town just outside Oxford, the city from which the surrounding county gets its name, had been outed by a disgruntled cybercrime rival not long before, in what’s known as a doxxing.
Doxxing is where a cybercriminal releases stolen personal documents and details on purpose, often in order to put an individual at risk of arrest by law enforcement, or in danger of retribution by ill-informed or malevolent opponents.
The doxxer leaked what he claimed was his rival’s home address, together with personal details and photos of him and close family members, as well as a bunch of allegations that he was some kind of linchpin in the LAPSUS$ crew.
LAPUS$ back in the spotlight
As you can imagine, the recent Uber hacking stories revived the name LAPSUS$, given that the attacker in that case was widely claimed to be 18 years old, and was apparently only interested in showing off:
As Chester Wisniewski explained in a recent podcast minisode:
[I]n this case, […] it seems to be “for the lulz”. […T]he person who did it was mostly collecting trophies as they bounced through the network – in the form of screenshots of all [the] different tools and utilities and programs that were in use around Uber – and posting them publicly, I guess for the street cred.
Shortly after the Uber hack, nearly an hour’s worth of what seemed to be video clips from the forthcoming video game GTA 6, apparently screen captures made for debugging and testing purposes, were leaked following a cyberintrusion at Rockstar Games.
Once again, the same young hacker, with the same presumed connection to LAPSUS$, was implicated in the attack.
This time, reports suggest that the hacker had more in mind merely than bragging rights, allegedly saying that they were “looking to negotiate a deal.”
So, when City of London Police tweeted earlier this week that they had “arrested a 17-year-old in Oxfordshire on suspicion of hacking”…
On the evening of Thursday 22 September 2022, the City of London Police arrested a 17-year-old in Oxfordshire on suspicion of hacking, as part of an investigation supported by the @NCA_UK’s National Cyber Crime Unit (NCCU).
He remains in police custody. pic.twitter.com/Zfa3OlDR6J
— City of London Police (@CityPolice) September 23, 2022
…you can imagine what conclusions the Twittersphere quickly reached.
Surely it must be the same person?!
The answer, ultimately, is that we don’t know whether there is just one suspect or two, or quite where the LAPSUS$ moniker comes into it, if indeed it is involved at all.
O, what a tangled web we weave/When first we practise to deceive.
LEARN HOW TO AVOID LAPSUS$-STYLE ATTACKS
Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.