“This group operates on a foundation of trust and influence,” said Charles Carmacal, senior vice president and CTO of cybersecurity firm Mandiant. “They brag to their friends and if they get money they will take it, but money doesn’t seem to be the only or even the main driver. So a victim company that wants to negotiate with them and might consider paying them probably won’t get the result they’re hoping for.”
This thirst for fame makes Lapsus$ particularly reckless and destructive. Although they don’t encrypt systems, Lapsus$ has deleted files and virtual machines and generally caused “a lot of chaos,” as Carmakal puts it.
Just days after it began leaking Nvidia data, Lapsus$ also announced that it had stolen 190 gigabytes of data from Samsung, including bootloader source code and algorithms for the biometric authentication system for the Galaxy line of smartphones. Samsung confirmed last week that it had suffered a breach.
A few days later, Ubisoft joined the fray. “Last week, Ubisoft experienced a cybersecurity incident that caused a temporary disruption to some of our games, systems and services,” the company wrote in a statement Thursday. “As a precaution, we have initiated a company-wide password reset … There is no evidence that players’ personal information was accessed or disclosed as a byproduct of this incident.
Specific details about the group remain scarce for now. Researchers suspect that Lapsus$ is based in South America, potentially in Brazil, and say there may be a few members in Europe as well, perhaps in Portugal. Lapsus$ does not have a home page on the dark web for posting samples of leaked data and negotiating with victims. Instead, in an unorthodox move for ransomware groups, the gang uses Telegram for most of its public operations.
“One unusual trend of Lapsus$ is the use of Telegram to broadcast the identity of victims,” says Digital Shadows’ Peh. “Misuse of a legitimate tool like Telegram ensures that the Lapsus$ leak channel will experience minimal disruption and that the identities of their victims can be exposed to anyone with an internet connection.”
One of Lapsus$’s trademarks is running polls on his Telegram channel, where viewers can vote on whose data the gang should post next.
“It’s very reminiscent of the Lulzsec people and even Anonymous back in the day,” Mandiant’s Carmakal says of the two hacktivist collectives that rose to prominence in the early 2010s. “These people were politically motivated, or they pretended to be, but they were also doing it for fame, and Lulzsec in particular was more overtly doing it for fun.” With Lapsus$, it’s a very dangerous thing for people to do for fun, and they’re going to get arrested at some point.”
In the meantime, though, the question for Big Tech is who will be next in Lapsus$’s crosshairs? It seems that no goal is too big or influential to be unattainable – and that the requirements can be just as difficult to predict.
More great stories on WIRED
