The cyber-attacks that have managed to breach the likes of Nvidia, Microsoft, Ubisoft and Samsung have been traced back to a 16-year-old living in Oxford, England.
Lapsus$, the hacker group responsible for the attacks, has pulled off a series of high-profile breaches and have leaked proprietary source code and data from the companies online.
According to Bloomberg, the mastermind behind the group is a teen that lives with his mother near Oxford University in England. Four security researchers investigating the breach on behalf of the companies that were breached told the publication that they thought the teen was the mastermind.
What were the Lapsus$ attacks?
The group first surfaced in December 2021, attempting to extort Brazil's Ministry of Health. They claimed to have deleted data that was needed to issue COVID vaccination certificates. The ministry later confirmed that it lost 50 TB of data in the attack. Lapsus$ also hacked into Brazil's prominent telecommunications operator Claro.
Portugal's largest media conglomerate was the group's next target. Impresa owns the largest TV channel and newspaper in Portugal - SIC and Expresso. Lapsus$ hacked both their websites and their twitter accounts.
Then the attacks became more high-profile, targeting Nvidia first followed by Samsung. Lapsus$ laid out a unique extortion demand telling Nvidia that it wanted the company to remove Lite Hash Rates from their RTX 30 series graphics cards. Lite Hash Rate throttles the speed at which cryptocurrency can be mined, making the cards undesirable for crypto mining.
Failure to comply would result in the group posting Nvidia's source code and designs online. As proof, the group leaked the source code of Nvidia's DLSS 2.0 feature. The group also demanded Nvidia open source their drivers for macOS, Windows and Linux.
In the case of Samsung's attack, the group posted nearly 190GB of sensitive information online, including source codes and details on various projects.
Since then, the group has moved on to attack Microsoft, Okta and Ubisoft. In a blog post, Microsoft said that it had managed to limit the extent of the attack and interrupt the source code downloads because Lapsus$ publicly discussed their attack on a Telegram channel.
What methods did Lapsus$ use?
According to Microsoft, Lapsus$ sets up most attacks and gains access to sensitive servers through social engineering. This is a broad term that includes bribing or tricking employees at the organisation and third-party partners like customer support centres.
The Lapsus$ telegram channel has more than 45,000 subscribers and even hosts an ad for recruitment of insiders at large companies. Sources close to the publication Krebsonsecurity, said that the group had also been recruiting insiders using social media platforms since November 2021.
Cyber intelligence firm Flashpoint says that Lapsus$ does not operate a traditional "clearnet or darknet leak site," and operates solely using Telegram and email.
Microsoft points out that in some cases the group first, "targeted and compromised an individual’s personal or private (non-work-related) accounts giving them access to then look for additional credentials that could be used to gain access to corporate systems. Given that employees typically use these personal accounts or numbers as their second-factor authentication or password recovery, the group would often use this access to reset passwords and complete account recovery actions.”
Lapsus$ also targets help desks and support centres since most organisations outsource these functions. Microsoft said that it had observed the group calling and attempting to convince personnel to reset passwords for a privileged account.
If that wasn't enough, Lapsus$ also used a technique known as SIM swapping that let them gain access to key accounts at large organisations. The technique involves bribing mobile phone company employees into transferring an individual's phone numbers on another device.
This will allow them to intercept all communications made by the individuals including texts, calls and emails. With this in hand, groups like Lapsus$ can then gain access to accounts by resetting passwords using two-factor authentication.
Besides these, the group is also known to deploy password stealing malware, use leaked repositories online to look for usable passwords and even purchase credentials from dark web forums.
Also Read: Lapsus$, the group that hacked Nvidia, goes after Samsung
Who is Lapsus$?
The group's ringleader uses various aliases online but two of the most common ones have been connected with the attacks - "WhiteDoxbin" and "breachbase".
According to Microsoft, unlike other hacker groups that go to great lengths to hide their tracks, Lapsus$ announces its intentions and targets online. It also advertises freely on Telegram for potential recruitments or insiders at larger companies. They have even joined Zoom calls of company meetings and security consultants, taunting them.
Two of the security researchers that spoke with Bloomberg, said that the group has "poor operational security" which allowed cybersecurity experts to track the teen hacker.
Interestingly, WhiteDoxbin seems to have been a victim of a doxing attack himself. Doxing is a term for posting someone's private information online, these may include pictures, addresses or social security numbers.
WhiteDoxbin was the owner of Doxbin, a long-running website that hosts compromised and sensitive private information of thousands of people online. WhiteDoxbin had to reluctantly sell the site back to its previous owner at a loss, after the users complained he wasn't a good administrator.
In spite, WhiteDoxbin leaked the entire Doxbin data online, angering users and they responded with furor. The website carried out a ferocious doxing attack that included posting pictures and even videos of his identity and address online.
The Doxbin community also told researchers that WhiteDoxbin made his name by buying and selling zero-day exploits, security flaws in software and hardware that the manufacturers weren't even aware of.
WhiteDoxbin's name has also been linked with a defunct cyber criminal group called Recursion Team, which specialised in SIM swapping and fake bomb threats and hostage scenarios for swatting attacks. Swatting attacks involve calling law enforcement and presenting them with fake evidence on an individual, inviting potentially hostile force on the victim.
Bloomberg also attempted to get in touch with the mother of WhiteDoxbin who refused to entertain their requests for an interview and told the publication, she was, "unaware of any allegations against her son" and was disturbed at seeing photos of "her home and the teen's father," in the leaked Doxbin posts.
The mother said that the teenager lived at the address and has been harassed by many others. She declined to make her son available for an interview.
While WhiteDoxbin's identity has not been disclosed since he is a minor and not officially accused of any crime, researchers told Bloomberg that seven other unique accounts have been linked to the group. One of them, they believe, is a teen that lives in Brazil. Another member is supposedly such a skilled hacker that it fooled security researchers into thinking that the work was automated.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
