The story of Lapsus$ ends as abruptly as it started. In a span of four months, the crime group breached some of the world’s largest tech companies. Last week, the first suspects were arrested. The end is in sight. How could it have come to this? Who’s calling the shots, and what do the victims have in common? We explore the rise and (probable) downfall of Lapsus$.
Lapsus$ reached headlines as a ‘ransomware group’. In reality, that description is a terrible fit. Lapsus$ attacked enormous organizations, but failed to cover its tracks. The group stole trade secrets, but freely gave away its loot. In one case, Lapsus$ extorted a victim — the demand, however, was never met.
The new arrestees range from 16 to 21 years old. The question is how professional a teenager can truly be. Lapsus$ was professional enough to crack the world’s largest tech companies, yet insufficient at dropping large-scale ransomware and manipulating victims to meet demands.
There’s much to learn from the seven large-scale attacks in the past four months. Lapsus$’s true motive has become clear. Money is great, but an afterthought. The group sought attention.
How did Lapsus$ attack?
Lapsus$’s members proved to be resourceful. Security researchers at Unit 42 highlighted the diversity of their techniques. Most breaches involved buying or phishing account credentials. Multifactor authentication (MFA) was bypassed via social engineering, SIM swapping and even attacks on MFA providers.
Microsoft has a different take on things. In its own research, the organization concludes that Lapsus$ excelled in acquiring intelligence in victims’ business operations. Social engineering was used to gain insight into employees, team structures, help desks, crisis workflows and supply chain paths.
In one case, Lapsus$ flooded a MFA system with login prompts. The system flagged the account as suspicious and required the configuration of new login credentials. Lapsus$ then called the help desk, posing as the account owner. The help desk unknowingly assisted in the breach.
How did Lapsus$ come up?
The group’s name gained popularity in August 2021. Multiple security researchers received reports from customers of UK telecom provider EE Limited. The customers had received text messages from ‘Lapsus$’. The group claimed to hold the recipient’s personal data. Lapsus$ promised to remove the personal data if EE Limited transferred four million dollars by August 20.
In December 2021, Lapsus$ claimed an attack on Brazil’s Ministry of Health. The crime group managed to infiltrate government systems, stealing data on the way out. Shortly after, the group attacked Portuguese media giant Impresa, Brazilian state-owned company Correios, and South American providers Claro and Embratel.
Resultingly, security researchers concluded that Lapsus$ was based in Brazil. Now, several months later, all signs point to a British origin. The South American attacks are a possible result of member recruitment.
Onto the major league
Early March 2022, Lapsus$ claimed to possess over 1TB of private Nvidia data. The crime group threatened to sell the data if Nvidia refused to adjust its products.
Lapsus$ demanded that Nvidia remove the Lite Hash Rate restriction from GPUs. GPUs with a high LHR are regularly bought up by cryptominers. As a result, Nvidia is unable to provide sufficient GPUs for consumers. The organization limits the LHR of GPUs to discourage buyers.
Nvidia acknowledged Lapsus$’s attack, but refused to comply with the demand. The organization expected “no impact on customers.” That turned out to be an error of judgment. Lapsus$ leaked stolen data, including code signing certificates. Multiple cybercriminals used the code signing certificates to spread malware on Windows PCs.
On March 20, Lapsus$ shared a screenshot of a Microsoft developer account through Telegram. Lapsus$ claimed to have access to Microsoft trade secrets, including Bing and Cortana source code. Microsoft launched an investigation and confirmed the data breach shortly after.
Two weeks before, Lapsus$ publicly called upon employees of major technology companies, including Microsoft. Lapsus$ was recruiting employees willing to leak VPN or Citrix access. In other words: moles, which the crime group presumably managed to find on multiple occasions.
On March 23, Okta confirmed that Lapsus$ had accessed the data of up to 366 customers in early 2022. According to the report, Lapsus$ breached a subcontractor’s admin account. Though Okta had known about the incident since January, the culprit’s identity only became clear when Lapsus$ openly claimed responsibility.
Is this the end?
Although Lapsus$ openly reported on its attacks and practices, the group managed to remain anonymous for months. That changed with the passage of March 2022.
Last week, several security experts agreed on the identity of Lapsus$’s leader: a 16-year-old boy, living with his mother in Southern England. In addition to the frontman, investigators traced a Brazilian teenager and five other suspects.
The members left plenty of traces for a successful manhunt. On March 25, British police arrested seven suspects ranging from 16 to 21 years old.
At the time of writing, details are scarce — as they should be. The early stages of criminal proceedings are extremely privacy-sensitive, especially when dealing with underage suspects. This article will be updated when new information becomes available.