The curious name LAPSUS$ made huge headlines in March 2022 as the nickname of a hacking gang, or, in unvarnished words, as the label for a notorious and active collective of cybercriminals:
The name was somewhat unusual for a cybercrime crew, who commonly adopt handles that sound edgy and destructive, such as DEADBOLT, Satan, Darkside, and REvil.
As we mentioned back in March, however, lapsus is as good a modern Latin word as any for “data breach”, and the trailing dollar sign signifies both financial value and programming, being the traditional way of denoting that BASIC variable is a text string, not a number.
The gang, team, crew, posse, collective, gaggle, call it what you will, of attackers apparently presented a similar sort of ambiguity in their cybercriminality.
Sometimes, they seemed to show that they were serious about extorting money or ripping off cryptocurrency from their victims, but at other times they seemed simply to be showing off.
Microsoft admitted in March 2022 that it had been infiltrated by LAPSUS$, though the software giant referred to the group as DEV-5037, with the criminals apparently stealing gigabytes of source code.
Okta, a 2FA service provider, was another high-profile victim, where the hackers acquired RDP access to an support techie’s computer, and were therefore able to access a wide range of Okta’s internal systems as if they were logged in directly to Okta’s own network.
The hapless support techie didn’t work for Okta, but for a company contracted by Okta, so the attackers were essentially able to breach Okta’s network without breaching Okta itself.
Intriguingly, even though Okta’s breach happened in January 2022, neither Okta nor its contractor made any public admission of the intrusion for about two months, while a forensic examination took place…
…until LAPSUS$ apparently decided to pre-empt any official announcement by dumping screenshots to “prove” the breach, ironically on the very same day that Okta received the final forensic report from the contractor. (How, or if, LAPSUS$ got advance warning of the report’s delivery is unknown.)
Next on the attack docket was graphics chip vendor Nvidia, who apparently also suffered a data heist, followed by one of the weirdest ransomware-with-a-difference extortion demands on record, warning the company to “open-source your graphics driver code, or else”:
As we said in the Naked Security podcast (S3 Ep73):
Normally, the connection between cryptocurrency and ransomware is the crooks figure, “Go and buy some cryptocurrency and send it to us, and we’ll decrypt all your files and/or delete your data.” […]
But in this case, the connection with cryptocurrency was they said, “We’ll forget all about the massive amount of data we stole if you open up your graphics cards so that they can cryptomine at full power.”
Because that goes back to a change that Nvidia made last year [2021], which was very popular with gamers [by discouraging cryptominers from buying up all the Nvidia GPUs on the market for non-graphics purposes].
A different sort of cybercriminal?
For all that the online activities attributed to LAPSUS$ have been seriously and unashamedly criminal, the group’s post-exploitation behaviour often seemed rather old-school.
Unlike today’s multimillion-dollar ransomware attackers, whose primary motivations are money, money and more money, LAPSUS$ apparently aligned more closely with the virus-writing scene of the late 1980s and 1990s, where even highly destructive attacks were commonly conducted simply for bragging rights and “for the lulz”.
(The phrase for the lulz translates roughly as in order to provoke insultingly mirthful laughter, based on the acronym LOL, short for “laughing out loud”.)
So, when the City of London Police announced, just two days after the not-so-mirthful-at-all screenshots of the Okta attack appeared, that it had arrested what sounded like a motley bunch of youngsters in the UK for allegedly being members of a hacking group…
…the world’s IT media quickly made a connection with LAPSUS$:
As far as we’re aware, UK law enforcement has never used the word LAPSUS$ in connection with the suspects in that arrest, noting back in March 2022 simply that “our enquiries remain ongoing.”
Nevertheless, an apparent link with LAPSUS$ was inferred from the fact that one of the youngsters busted was said to be 17 years old, and to hail from Oxfordshire in England.
Fascinatingly, a hacker of that age who allegedly lived in a town just outside Oxford, the city from which the surrounding county gets its name, had been outed by a disgruntled cybercrime rival not long before, in what’s known as a doxxing.
Doxxing is where a cybercriminal releases stolen personal documents and details on purpose, often in order to put an individual at risk of arrest by law enforcement, or in danger of retribution by ill-informed or malevolent opponents.
The doxxer leaked what he claimed was his rival’s home address, together with personal details and photos of him and close family members, as well as a bunch of allegations that he was some kind of linchpin in the LAPSUS$ crew.
LAPUS$ back in the spotlight
As you can imagine, the recent Uber hacking stories revived the name LAPSUS$, given that the attacker in that case was widely claimed to be 18 years old, and was apparently only interested in showing off:
As Chester Wisniewski explained in a recent podcast minisode:
[I]n this case, […] it seems to be “for the lulz”. […T]he person who did it was mostly collecting trophies as they bounced through the network – in the form of screenshots of all [the] different tools and utilities and programs that were in use around Uber – and posting them publicly, I guess for the street cred.
Shortly after the Uber hack, nearly an hour’s worth of what seemed to be video clips from the forthcoming video game GTA 6, apparently screen captures made for debugging and testing purposes, were leaked following a cyberintrusion at Rockstar Games.
Once again, the same young hacker, with the same presumed connection to LAPSUS$, was implicated in the attack.
This time, reports suggest that the hacker had more in mind merely than bragging rights, allegedly saying that they were “looking to negotiate a deal.”
So, when City of London Police tweeted earlier this week that they had “arrested a 17-year-old in Oxfordshire on suspicion of hacking”…
On the evening of Thursday 22 September 2022, the City of London Police arrested a 17-year-old in Oxfordshire on suspicion of hacking, as part of an investigation supported by the @NCA_UK’s National Cyber Crime Unit (NCCU).
He remains in police custody. pic.twitter.com/Zfa3OlDR6J
— City of London Police (@CityPolice) September 23, 2022
…you can imagine what conclusions the Twittersphere quickly reached.
Surely it must be the same person?!
The answer, ultimately, is that we don’t know whether there is just one suspect or two, or quite where the LAPSUS$ moniker comes into it, if indeed it is involved at all.
O, what a tangled web we weave/When first we practise to deceive.
LEARN HOW TO AVOID LAPSUS$-STYLE ATTACKS
Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.
Fred
When you write:
‘After all, what’s the chance that we’re talking about two different and unconnected suspects here?’
I want to comment on the principle of this remark, so I will answer ‘the chance isn’t zero so it’s possible’.
Example:
If you say ‘one in a billion probability of error’ to jail suspects until the 999’999’999th time…
Then what says that on your next 1 billionth use of your logic there won’t be 1 billion people claiming that they were the only single errorneous one?
Jailed individuals can afterwards very well be like:
‘You said one chance in a billion to jail us all. Now you used your method 1 billion times. I therefore claim that I’m the one error in your billion.’
It’s sarcastic, but ‘unlikely’ doesn’t mean ‘not possible’.
Unless there’s zero chance then *there is* a possibility of being wrong.
Probability isn’t proof and accepting probability as good-faith evidence cans lead to a very slippery slope.
With digital offenses, you simply can’t know for sure whether the suspect was aware of anything just by using probability.
Paul Ducklin
The tone of that sentence was meant to be satirical, of course…
…but in the original article I actually had an addendum in which I attempted to compute the probability that it was indeed the same suspect who was arrested for both these hacking attempts. (The fact that there have been two arrests is not in doubt. The issue, regardless of guilt, is “Was the same person arrested both times?”
As an aside, the use of probabilities to assess evidence in criminal trials is not in itself flawed… the problem is whether the probabilities presented were actually correct, whether they genuinely represented what was claimed, and whether multiple probabilities had been combined properly. For example, the fact that your DNA showed up at a crime scene might be used to overestimate the probability that you were ever actually at the location at all, let alone a suspect. Even if the DNA has a 100% chance of being yours, the relevance of that “proof” to the probability that you were involved in any way might be zero. (IIRC there was an infamous case in Germany where a serial killer suspect turned out to be a worker in a factory where the forensic swabs were made. And a case in London where a “suspect’s” DNA under a murder victim’s fingernails tragically turned out to be DNA from an earlier murder victim whose mortal remains has been analysed in the same forensic pathology lab.)
I removed my attempt to estimate that there was just one suspect in this matter rather than two (I started with the number of 17-year-old males in Oxfordshire, which is almost certainly no greater than 14,000) because there were some factors that were too hard to estimate or include, such as the probability that the suspect in the first arrest was actually innocent (which would increase the pool of initial suspects).
As I hope the article makes clear, there are lots of coincidences here, most notably the timing of the announcements against the global interest in LAPSUS$.
In other words, the big deal is to defend yourself against any and all attacks of this sort, whether they’re down to LAPSUS$ in general, or to our 17-year-old Oxfordshire suspect or suspects in particular (or at all).
Paul Ducklin
I’ve edited that sentence in the article. Just in case, I now simply make it clear that we don’t yet know if there is one suspect or two, or what connection exists with alleged LAPSUS$ activities, if any,
P
As a non-native speaker it was easy to detect the satirical tone, but I pretty much enjoy satire and irony (gets you into lots of trouble in written communication by the way).
One thing maybe to add to the original posters arguments: even in court cases “beyond a reasonable doubt” just means that what it says, not that there can’t be any doubt. And in civil cases it is even more relaxed: the side which convinces the judge more wins (maybe even with perfect 50-50 calculation the judge has to make a ruling).
Paul Ducklin
The phrase “beyond reasonable doubt” was apparently widely used by judges in English courts when explaining to juries that they needed to be certain of their decision before voting to convict. But I don’t think judges have been using those words for a while now, with current guidelines suggesting that juries be told they must be “satisfied that they are sure”instead.
Andy
What surprises me:
Is there actually no 100% protection against such attacks and does one not need special experience (university degree) or can anyone carry out such attacks?
I’m just a layman, maybe someone can explain this to me.
Paul Ducklin
An attacker with patience and the right sort of “sales schpiel” can often persuade people to bypass security on purpose, using a mixture of helpfulness and pressure. Or, if that doesn’t work, a mixture of bribery and blackmail…