O Lapsus$ Group is in evidence. After hacking systems Ministry of Health of Brazilgives Nvidia and even gives Microsoft, authorities are promoting a hunt for the group’s hackers. This work is already paying off: experts in digital security and police have found evidence that the gang is led by teenagers. At least one of them would be Brazilian.
It is ironic that Microsoft was one of the targets of Lapsus$, as the company’s digital security teams had been investigating the group for a few weeks.
But it was precisely Microsoft that revealed important details of the hackers’ modus operandi: although they do not rule out other approaches, they prefer to use social engineering tactics to make victims.
Microsoft also pointed to an unusual detail: contrary to what is common among hackers, the group does not seem to care about hiding its tracks. This may have been Lapsus$’ biggest mistake.
Lapsus$ leader would be 16-year-old
On Thursday, London police released the following statement: “Seven people aged between 16 and 21 have been arrested in line with an investigation into a hacking group.”
The group under investigation is precisely Lapsus$. A 16-year-old boy who lives in the Oxford area has been accused of being one of the leaders of the group.
London authorities did not say whether this young man was among the seven people arrested, nor did they reveal his identity, for legal reasons.
It is known, however, that the young man identifies himself on the internet as White or Breachbase and, because he is a person with autism, he attends a special education school, also in Oxford.
It may have contributed to the identification of the teenager the fact that information about him, including his home address, had been released on the internet by rival hackers.
A BBC he even talked to the teenager’s father, who said he did not know, until then, that his son was involved in this type of activity:
I had never heard about it until recently. He never talked about hacking, but he is very good with computers and spent a lot of time on the computer. I always thought he was playing.
Rivals who published data on White also claimed that he holds more than 300 bitcoins, which today amounts to almost R$62 million.
It would probably be a matter of time for the authorities to get to the young man. That’s because the digital security firm Unit 221B said it had been tracking White’s actions for nearly a year — before Lapsus$ was formed — and had periodically sent alerts to police about his crimes.
According to Allison Nixon, director of research at Unit 221B, White erred in not covering his tracks. That’s what made it possible for him to be tracked.
Lapsus$ announces “vacation”
Investigations continue, of course. Investigators want to determine the extent of the damage done by the group and, of course, identify the other members. It is known that the authorities suspect that at least one of them is a teenager residing in Brazil, although there is, so far, no information about investigations in the country.
It will not be surprising if one or more members are identified in Brazil, after all, the group became known in late 2021 after breaking into the Ministry of Health’s systems and leaving the ConectSUS tool inaccessible for about two weeks. At the time, the gang also took action against organizations in the UK and South Africa.
In any case, the police actions seem to have put the group on alert. In a message posted on Telegram — a channel with nearly 50,000 participants — Lapsus$ stated:
Some of our members are on vacation until 3/30/2022.
We have to be quiet every now and then.
Thanks for understanding us — we’ll try to leak stuff as soon as possible.
Whether this, in practice, means that Lapsus$ will be out of the picture for good, only time will tell. But even if that happens, the group’s actions will be felt for quite some time, so much so that some security experts are already starting to question current protective measures.
It is the case of Brian Krebs who, no Twittercommented: “this [as ações do Lapsus$] forces us to change our thinking about internal access.” It is precisely deficiencies in access control to systems that the group has used the most to carry out intrusions.
With information: Bloomberg, BBC.