Skip links

Lapsus$ extortionists dump data online as Samsung admits breach

Samsung has acknowledged its data was stolen after the Lapsus$ extortion gang deposited what appears to be 190GB of the company’s stolen internal files online.

“We were recently made aware that there was a security breach relating to certain internal company data,” said the Korean multinational in a statement this afternoon.

Lapsus$, previously known as the criminal crew that stole internal data from Nvidia in a separate ransomware attempt, published 190GB of files on Bittorrent, according to reports. Bleeping Computer reported the torrent contained “source code and related data” for Samsung Knox, the firm’s containerisation and security management framework, Bootloader, its Trusted Apps feature and more.

We have asked Samsung for further comment and will update this article if the chaebol responds. No detail in the statement given to CNBC directly addressed the question of what data was stolen.

Industry reaction was unhappy at the exposure of what appeared to be source code for security and remote management features of Galaxy smartphones. If source code for Samsung’s proprietary security features on its handsets has leaked, the company may be in trouble.

Chris Vaughan, EMEA area vice president of technical account management at US infosec firm Tanium opined: “I believe that this breach is genuine and it could cause significant damage to the company.”

He continued: “Some specific parts of the code that have been leaked are key security components for Samsung devices, this could make cracking and breaking into phones easier. I expect attackers to test if biometric security controls such as fingerprint and face ID can be bypassed. This could even be leveraged by law enforcement and could be a privacy concern for Samsung users.”

Jake Moore, Slovakian infosec firm ESET’s global cyber security advisor, said: “Data breaches like this often have a price tag attached but these bad actors have just gone straight to releasing the data without a ransom note, leaving the targeted victims scrambling around trying to reduce the impact where possible.”

Knox was admitted to the UK government’s security framework in 2014 for “official” (low level) classified data, with the US NSA following suit that year.

These efforts at breaking into what was then the Blackberry-dominated secure enterprise mobile device market eventually bore fruit in 2020; Google finally admitted Samsung, the world’s number 1 maker of Android smartphones, into its Android Enterprise Recommended programme. It is intended to provide enterprises with a readymade list of vendors whose products meet Google-approved security standards, including remote device management and inbuilt secure storage features.

Shane Curran, CEO of encryption firm, Evervault, said: “Strong encryption, when properly applied, is a business asset and a tool in the arsenal of successful companies. The widespread adoption of strong encryption will reduce the ongoing incentive for businesses to pay ransoms, a harmful tendency that promotes the global expansion of cybercriminal operations.”

So far there is no information about whether Lapsus$ has demanded a ransom from Samsung, as it did with Nvidia after stealing data from the chipmaker and threatening to leak it online unless anti-cryptominer features in GPU firmware were removed from current and future products.

Lapsus$ does not appear to follow the usual ransomware gang method of privately demanding a payoff to prevent data theft and leakage. The gang, which appeared to align itself to cryptocurrency miners’ interests, instead dumps data online as a means of ramping up pressure on its targets to do their bidding.

Data theft and leakage can have unintended consequences even from the attacker’s point of view; last week a code-signing certificate included in Lapsus$’s dump from Nvidia was being used to sign Windows malware, according to infosec industry sources. ®