Skip links

Devil-may-care Lapsus$ gang is not the aspirational brand infosec needs

Analysis The Lapsus$ cyber-crime gang, believed to be based in Brazil, until recently was best known for attacks on that country’s Ministry of Health and Portuguese media outlets SIC Noticias and Expresso.

However, the gang is climbing up the ladder, swinging at larger targets in the tech industry. Over the past few weeks, those have included Nvidia, Samsung, and Argentine online marketplace operator Mercado Libre. Now, Lapsus$ is suspected of attacking game developer Ubisoft.

Lapsus$ in February compromised Nvidia, stealing a terabyte of data that included proprietary information and employee credentials, and dumping some of the data online. The crew also demanded the GPU giant remove limits on crypto-coin mining from its graphics cards, and open-source its drivers.

Days later, the group broke into Samsung, hoping to unlock the secrets of its TrustZone secure environment, and eventually leaked almost 200GB of data, including algorithms related to its biometric technologies, source code for bootloaders, activation servers, and authentication for Samsung accounts, and source code given to chip-designing partner Qualcomm.

Ubisoft, whose games include Assassin’s Creed, Prince of Persia and Watch Dogs, last week said in a brief statement it had “experienced a cyber security incident that caused temporary disruption to some of our games, systems, and services. Our IT teams are working with leading external experts to investigate the issue.”

The development house added that all of its games and services were operating as normal despite the attack. The online criminals have reportedly claimed the disruption was their work.

Growing pains

The attacks on Nvidia, Samsung, and seemingly Ubisoft represent a sharp upward turn in terms of the size of Lapsus$’s targets.

Cybersecurity experts describe a still-maturing cybercriminal group that is testing its capabilities with a range of different attack methods – from data extortion to ransomware – and may be taking advantage of Russia’s invasion of Ukraine, which is distracting and diverting malware pushers and cybersecurity vendors alike.

“Based on their public behavior and communication observed from the group, it is believed that they are a completely new group and not simply a rebranded threat group,” Tyler Croak, principal strategist at cybersecurity vendor Lookout, told The Register.

“While the group seems to be mostly financially motivated, there are signs of additional motivations. For example, their early attacks had a heavier focus on data extortion and payment, but in their Nvidia attack we saw a demand for the organization to make their IP open source. This strays into hacktivist territory.”

The fact that they are using multi-faceted extortion tactics in their ransomware campaigns “shows that the group is not entirely aligned and is still maturing, but they are showing signs of evolving into a formidable threat group,” Croak said. “They are beginning to take advantage of multiple avenues to try to infiltrate and persist within an organization.”

That included issuing a statement recently offering money to employees at large corporations for their remote-access credentials, to signing malware with stolen certificates to get around security software, the experts said. 

“We have a group here that is flexing their muscles to build ‘street cred,’ has been profitable with ransoms, and seem to be untouchable at the moment,” Richard Fleeman, vice president at security advisory services provider Coalfire, told The Register.

Russian invasion blowback

Casey Ellis, founder and CTO at crowdsourced cybersecurity firm Bugcrowd, said threat groups tend to keep their effort focused on primarily goals, enabling them to scale while minimizing their own attack surface. However, “judging by the access and exfiltration they’ve achieved, Lapsus$ is technically proficient, and their organizational structure – or general ‘devil may care’ – approach sees them attacking a wide variety of targets for a wide variety of stated reasons,” Ellis said.

Why the crooks are ramping up their attacks so quickly is still unclear. Ellis noted that the tech industry itself is highly technology-dependent, giving skilled attackers a broad array of options for exploitation and for ransomware and data exfiltration.

Others point to global attention being paid to Russia’s war on Ukraine. “Lapsus$’s behavior suggests a less mature organization than others we’ve seen, but the risks to their targets are just as real,” Casey Bisson, head of product and developer relations at cybersecurity firm BluBracket, told The Register.

They’re becoming an aspirational example to new potential actors around the world

“With the usual cybercrime suspects focused on the war in Ukraine and related targets, there’s room for less professional actors to step forward. In doing so, they’re becoming an aspirational example to new potential actors around the world.”

“Part of me wonders if they saw an opening created by ‘air cover’ of those conflicts in cyber-defense,” Ellis said. “Chaos creates an opportunity to create – and potentially get away with – more chaos.”

However, while Lapsus$ is showing itself to be a threat to major corporations, going after such high-profile targets puts itself into the spotlight. Ellis pointed to the government pressure put on the REvil ransomware group that led to the arrest of its members by Russian authorities this year, and an offensive cyber weapon used by the United States that knocked the group offline in 2021.

The size and number of Lapsus$’s targets are increasing, expanding the risk that they’ll be discovered and taken down.

“As we saw with the REvil group, if you poke a big enough bear, you can elicit a fairly devastating government and law enforcement response,” Ellis said.

BluBracket’s Bisson said Lapsus$ with its growing ambitions and capabilities is the latest example of how it often takes time for law enforcement to catch up with what miscreants are doing.

“Ninety years ago, Bonnie Parker and Clyde Barrow figured out how to weaponize the automobile against banks, and the legal system – constrained by state lines – was unprepared to deal with the mobile threat,” he said.

“Today, threat actors pursuing a broad mix of goals can attack enterprises and individuals [that are] continents away, and our legal system is similarly unprepared to deal with it. Lapsus$ shows us that we’re now facing a larger, even more distributed number of actors pursuing a broader mix of goals.” ®