Two serious cyber attacks in one weekend have raised suspicions that a dangerous criminal group is back in business. After months of inactivity, researchers warn that there are “indications” that Lapsus$ has resumed its operations and is behind these latest attacks. Hackers share the same modus operandi and are putting on the table the return of the cybercriminal gang that gave specialists a real headache at the beginning of the year.
Lapsus$ gained fame because it managed to hack several multinational companies that have top-notch security teams, such as Microsoft. The group is believed to be made up of teenagers. British police arrested seven young men last March for alleged links to the group. One of them, then 16 years old, was accused of being a gang leader. He was released a few hours later, and although Lapsus$ has been largely inactive since then, they or a follower of their methods are back in action.
It’s the second attack this weekend that has investigators connecting the dots. A massive content pack for Saga’s next video game was released online on Sunday Grand Theft Auto, GTA VI. The title won’t be released until late 2023 or 2024, so the 90 videos that surfaced in a massive leak have spread like wildfire among countless fans of the game, which sold more than 165 million copies of its previous edition.
“We experienced an intrusion where an unauthorized third party illegally accessed and downloaded confidential information,” Rockstar Games, the game’s developer, admitted on Monday, regretting that fans learned about GTA VI this way. Despite this, the company insists that its files have not been attacked, which would delay the launch, and its systems have not experienced any infections.
Rockstar is one of the giants in the industry and its parent company had a net profit of almost $100 million last year. However, the incident did not go beyond a mass leak. A hacker (or hackers) simply gained full access to your network, showed it off by posting the long-awaited game files to the forums, and disappeared.
This is the second time something like this has happened in a few days. On Friday, Uber watched as someone gained access to all of its systems, posted screenshots of its admin dashboard and financial data, and walked away. The company says the attack had no other consequences. “We reviewed our code base and did not find that the attacker made any changes. We also did not find that the attacker had access to the user or user data,” the company said.
Before disappearing, the attacker contacted cyber security specialists and the New York Times so that his actions would not go unnoticed. He told her he was 18 years old.
Uber thinks its hack and the GTA VI leak are connected. “This weekend it was also reported that the same actor attacked video game developer Rockstar Games. We are coordinating closely with the FBI,” he explained this week along with some of the investigation’s findings: “We believe that this attacker (or attackers ) is associated with a hacking group called Lapsus$.”
Lapsus$ became famous for attacking all these companies without using brute force, but by gaining access to their systems using the credentials of their own workers. To do this, they trick these employees or offer large sums of money in exchange for their passwords via the dark web.
With this tactic, they hacked Microsoft, but also the Portuguese communication network, Samsung, Nvidia or Okta, among other multinational companies. The latter, although the least known, was one of his most critical operations. Okta is a company that provides digital identity services for employees of other companies, so logging into their systems was a shortcut to infiltrating hundreds of organizations.
The entry method matches that used for the Rockstar and Uber attacks. In both cases, the entry route was Slack, the internal communication software used by their workers. What was his purpose? Probably just to see if they entered. “We call them early access attackers,” explains Josep Albors, director of research at cybersecurity firm ESET.
“They are dedicated to gaining access to a company’s internal network, in this case a very large one, and then negotiating that access. They can sell it to groups that want to use ransomware, for example (a type of attack that encrypts files. Ask for a ransom to unlock the victim), steal information And better sell it to me at the highest price…”, continues the expert.
“What they do after gaining access is hard to track because the types of deals they make are rarely made public unless they want to self-report it because it benefits their goals,” Albors adds.
Estimated age of attackers, method of entry, leakage of business information. These are all “hints” that point to a possible return of Lapsus$, although experts warn that they could also be copycats of the group.
“The phenomenon of copying in cybercrime happens all the time,” says Albors. “The attacks here are being attributed to Lapsus$, and that’s entirely possible, but we shouldn’t rule out that there are groups imitating these activities.”
The possibility that it is a second group that copied the Lapsus$ mod behind the latest attacks is heightened by media coverage of these cybercriminals. Their popularity and activities made them enemies even among other criminal groups. This made him a victim DoxingA common attack among hackers based on publishing all of a person’s identities, contacts, and compromised information.
He was arrested after the attack, but British police said they would pursue him until his personal details were released. United States on this matter and we will continue your efforts.
Source: El Diario