The curious title
LAPSUS$ made large headlines in March 2022 because the nickname of a hacking gang, or, in unvarnished phrases, because the label for a infamous and energetic collective of cybercriminals:
The title was considerably uncommon for a cybercrime crew, who generally undertake soubriquets that sound edgy and damaging, similar to DEADBOLT, Devil, Darkside, and REvil.
As we talked about again in March, nonetheless, lapsus is pretty much as good a contemporary Latin phrase as any for “knowledge breach”, and the trailing greenback signal signifies each monetary worth and programming, being the standard manner of denoting that BASIC variable is a textual content string, not a quantity.
The gang, group, crew, posse, collective, gaggle, name it what you’ll, of attackers apparently offered the same form of ambiguity of their cybercriminality.
Generally, they appeared to indicate that they have been critical about extorting cash or ripping off cryptocurrency from their victims, however at however at different occasions they appeared merely to be exhibiting off.
Microsoft admitted on the time that it had been infiltrated by LAPSUS$, although the software program big referred to the group as DEV-5037, with the criminals apparently stealing gigabytes of supply code.
Okta, a 2FA service supplier, was one other high-profile sufferer, the place the hackers acquired RDP entry to an assist techie’s pc, and have been subsequently capable of entry a variety of Okta’s inner programs as in the event that they have been logged in on to Okta’s personal community.
That assist techie didn’t work for Okta, however for a corporation contracted by Okta, in order that the attackers have been basically capable of breach Okta’s community with out breaching Okta itself.
Intriguingly, although Okta’s breach occurred in January 2022, neither Okta nor its contractor made any public admission of the breach for about two months, whereas a forensic examination occurred…
…till LAPSUS$ apparently determined to pre-empt any official announcement by dumping screenshots to “show” the breach, satirically on the exact same day that Okta acquired the ultimate forensic report from the contractor (how, or if, LAPSUS$ acquired advance warning of the report’s supply is unknown):
Subsequent on the assault docket was graphics chip vendor Nvidia, who apparently additionally suffered a knowledge heist, adopted by one of many weirdest ransomware-with-a-difference extortion calls for on report – open-source your graphics driver code, or else:
As we stated within the Bare Safety podcast (S3 Ep73):
Usually, the connection between cryptocurrency and ransomware is the crooks determine, “Go and purchase some cryptocurrency and ship it to us, and we’ll decrypt all of your recordsdata and/or delete your knowledge.” […]
However on this case, the reference to cryptocurrency was they stated, “We’ll overlook all in regards to the large quantity of information we stole should you open up your graphics playing cards in order that they will cryptomine at full energy.”
As a result of that goes again to a change that Nvidia made final yr , which was very talked-about with players [by discouraging cryptominers from buying up all the Nvidia GPUs on the market for non-graphics purposes].
A special form of cybercriminal?
For all that the net actions attributed to LAPSUS$ have been severely and unashamedly felony, the group’s post-exploitation behaviour usually appeared slightly old-school.
Not like in the present day’s multimillion-dollar ransomware attackers, whose major motivations are cash, cash and more cash, LAPSUS$ apparently aligned extra carefully with the virus-writing scene of the late Nineteen Eighties and Nineties, the place assaults have been generally performed merely for bragging rights and “for the lulz”.
(The phrase for the lulz interprets roughly as to be able to provoke insultingly mirthful laughter, based mostly on the acronym
LOL, brief for “laughing out loud”.)
So, when the Metropolis of London Police introduced, simply two days after the not-so-mirthful-at-all screenshots of the Okta assault appeared, that it had arrested what appeared like a motley bunch of children within the UK for allegedly being members of a hacking group…
…the world’s IT media rapidly made a reference to LAPSUS$:
So far as we’re conscious, UK regulation enforcement has by no means used the phrase LAPSUS$ in reference to the suspects in that arrest, noting again in March 2022 merely that “our enquiries stay ongoing.”
However, an obvious hyperlink with LAPSUS$ was inferred from the truth that one of many children busted was stated to be 17 years outdated, and to hail from Oxfordshire in England.
Fascinatingly, a hacker of that age who allegedly lived in a city simply exterior Oxford, town from which the encircling county will get its title, had been outed by a disgruntled cybercrime rival not lengthy earlier than, in what’s often called a doxxing.
Doxxing is the place a cybercriminal releases stolen private paperwork and particulars on goal, usually to be able to put a person liable to arrest by regulation enforcement, or at risk of retribution by ill-informed or malevolent opponents.
The doxxer leaked what he claimed was his rival’s residence deal with, along with private particulars and pictures of him and shut relations, in addition to a bunch of allegations that he was some type of linchpin within the LAPSUS$ crew.
LAPUS$ again within the highlight
As you’ll be able to think about, the current Uber hacking tales revived the title LAPSUS$, on condition that the attacker in that case was extensively claimed to be 18 years outdated, and was apparently solely keen on exhibiting off:
As Chester Wisniewski defined in a current podcast minisode:
[I]n this case, […] it appears to be “for the lulz”. […T]he one that did it was principally gathering trophies as they bounced by the community – within the type of screenshots of all [the] completely different instruments and utilities and applications that have been in use round Uber – and posting them publicly, I suppose for the road cred.
Shortly after the Uber hack, almost an hour’s price of what appeared to be video clips from the forthcoming recreation GTA6, apparently display captures made for debugging and testing functions, have been leaked following an intrusion at Rockstar video games.
As soon as once more, the identical younger hacker, with the identical presumed connection to LAPSUS$, was implicated within the assault.
This time, stories recommend that the hacker had extra in thoughts merely than bragging rights, allegedly saying that they have been “seeking to negotiate a deal.”
So, when Metropolis of London Police tweeted earlier this week that that they had “arrested a 17-year-old in Oxfordshire on suspicion of hacking”…
On the night of Thursday 22 September 2022, the Metropolis of London Police arrested a 17-year-old in Oxfordshire on suspicion of hacking, as a part of an investigation supported by the @NCA_UK’s Nationwide Cyber Crime Unit (NCCU).
He stays in police custody. pic.twitter.com/Zfa3OlDR6J
— Metropolis of London Police (@CityPolice) September 23, 2022
…you’ll be able to think about what conclusions the Twittersphere rapidly reached.
It should be the identical particular person!
In any case, what’s the possibility that we’re speaking about two completely different and unconnected suspects right here?
The one factor we don’t know is kind of the place the LAPSUS$ moniker comes into it, if certainly it’s concerned in any respect.
O, what a tangled net we weave/When first we practise to deceive.
LEARN HOW TO AVOID LAPSUS$-STYLE ATTACKS
Click on-and-drag on the soundwaves under to skip to any level. You may as well hear instantly on Soundcloud.
This is a technique we predict you'll be able to estimate the chance that the suspect within the two arrests is identical particular person. We'd like P, the inhabitants of Oxfordshire. (We assume that by saying "Oxfordshire", the police considerably parochially meant "the county districts excluding Oxford Metropolis within the centre of the area", or else they'd have merely stated he was "from Oxford".) We'd like A, an estimate of the proportion of individuals in the area who're at present aged 17. We'd like M, an estimate of the proportion of males within the inhabitants. (The police tweet says "he's in custody".) Then we've to attempt to determine, from that particular cohort of individuals, the next chances: F = Prob(these with the wanted persistence and abilities and who're actively into felony hacking) G = Prob(felony hackers of this sort within the area who get caught) H = Prob(those that proceed hacking and bragging after getting bail for doing simply that) Based mostly on native authorities census knowledge and country-wide age statistics, we get: P = 563,000 (Cherwell District + Vale of White Horse + West Oxon + South Oxon) A = 0.05 (5%) M = 0.5 (one half, or 50%) F = 0.01 (1%) G = 0.10 (10%) H = 0.10 (10%) You'll be able to plug in your individual estimates for the above (our 5% for 17-year-olds band might be too excessive, because the stats we used solely have a band masking 15-17) however we labored out the scale of the set merely as: P×A×M×F×G×H. With our guesses, you get 563,000 × 5% × 50% × 1% × 10% × 10% That comes out at 1.4 folks. We expect that is a 70% (1/1.4) likelihood it is the identical particular person. Inhabitants: https://perception.oxfordshire.gov.uk/cms/inhabitants Demography: https://www.ethnicity-facts-figures.service.gov.uk/uk-population-by-ethnicity/demographics/age-groups/newest