Lapsus$ cyberattacks: the latest news on the hacking group

A London jury has found that a teenage member of the Lapsus$ hacking group carried out the high-profile cyberattacks on Rockstar Games, Uber, and Nvidia, according to a report from the BBC. The Southwark Crown Court jury that the 18-year-old Arion Kurtaj committed 12 offenses, including blackmail, fraud, and several violations of the UK’s Computer Misuse Act.

Kurtaj was arrested several times within the past two years but continued to carry out cyberattacks on several companies, such as Nvidia, by using social engineering and SIM-swapping techniques. London police arrested Kurtaj for the final time in September 2022 after he violated bail conditions that banned him from using the internet.

The US Cybersecurity and Infrastructure Security Agency (CISA) is calling for stricter SIM swapping protections and the transition to a passwordless future following last year’s Lapsus$ attacks. In a lengthy report released on Thursday, the agency details the teen hacking group’s key techniques and provides recommendations to prevent similar attacks going forward.

Lapsus$ made headlines last year after it took credit for the cyberattacks affecting major tech companies like Nvidia, Samsung, Ubisoft, T-Mobile, Uber, and Microsoft. The group also managed to steal and leak 90 videos containing gameplay footage from Rockstar’s upcoming Grand Theft Auto VI game. Seven teenagers connected to the group were arrested in London last year.

The City of London police report they’ve arrested a 17-year-old in Oxfordshire on suspicion of hacking and said he remains in custody. In a follow-up tweet the next day, the police confirmed the teen has been charged with two counts of breach of bail conditions and two counts of computer misuse. A hearing was scheduled for Saturday, but as of Monday morning, no further details have been released.

Police declined to say what incident the arrest was in connection with, but many of the details line up with recent high-profile hacks. This spring, the City of London police arrested and released seven teenagers in connection with an investigation into the Lapsus$ hacking group. Today’s arrest also comes just days after two security breaches believed to be connected to Lapsus$, with the leak of early Grand Theft Auto 6 footage due to a “network intrusion” and a security breach at Uber that caused it to take several internal systems offline for a while.

Uber said that a hacker associated with the Lapsus$ hacking group was to blame for a breach of its internal systems last week, while reiterating that no customer or user data was compromised during the attack.

The hack, which was discovered last Thursday, forced the company to take several of its internal systems offline, including Slack, Amazon Web Services, and Google Cloud Platform. 

Rockstar has confirmed the Grand Theft Auto VI footage leaked online over the weekend was stolen from its network. The user who posted the gameplay, “teapotuberhacker,” claims they also carried out an attack on Uber that occurred last week, but it’s still unclear whether they’re actually connected.

“We recently suffered a network intrusion in which an unauthorized third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto,” Rockstar says on Twitter. “We are extremely disappointed to have any details of our next game shared with you all in this way. Our work on the next Grand Theft Auto game will continue as planned and we remain as committed as ever to delivering an experience to you, our players, that truly exceeds your expectations.”

Footage of Grand Theft Auto VI, Rockstar’s next entry in its open-world franchise, has leaked online. PC Gamer reports that a user on the GTA Forums has posted a 3GB file full of 90 videos of GTA VI footage. It’s not exactly clear how the footage was obtained, but the “teapotuberhacker” poster claims to be behind the unrelated Uber hack late last week, and says they may “leak more data soon” including GTA V and GTA VI source code, assets, and testing builds.

The massive leak lines up with some earlier reporting on GTA VI, showing a female playable character in some clips. Bloomberg reported earlier this year that GTA VI would include a female protagonist influenced by Bonnie and Clyde. Bloomberg reporter Jason Schreier says he has verified the leak is real through sources at Rockstar Games.

The Lapsus$ hacking group stole T-Mobile’s source code in a series of breaches that took place in March, as first reported by Krebs on Security. T-Mobile confirmed the attack in a statement to The Verge, and says the “systems accessed contained no customer or government information or other similarly sensitive information.”

In copies of private messages obtained by Krebs, the Lapsus$ hacking group discussed targeting T-Mobile in the week prior to the arrest of seven of its teenage members. After purchasing employees’ credentials online, the members could use the company’s internal tools — like Atlas, T-Mobile’s customer management system — to perform SIM swaps. This type of attack involves hijacking a target’s mobile phone by transferring its number to a device owned by the attacker. From there, the attacker can obtain texts or calls received by that person’s phone number, including any messages sent for multi-factor authentication.

Three months after authentication platform Okta was breached by hacking group Lapsus$, the company has concluded its internal investigation after finding that the impact was less serious than initially believed.

In a blog post published Tuesday, Okta’s chief security officer David Bradbury noted that the company had been transparent by sharing details of the hack soon after it was discovered but that further analysis had downgraded early assessments of the potential scope.

After a short “vacation,” the Lapsus$ hacking gang is back. In a post shared through the group’s Telegram channel on Wednesday, Lapsus$ claimed to have stolen 70GB of data from Globant — an international software development firm headquartered in Luxembourg, which boasts some of the world’s largest companies as clients.

Screenshots of the hacked data, originally posted by Lapsus$ and shared on Twitter by security researcher Dominic Alvieri, appeared to show folders bearing the names of a range of global businesses: among them were delivery and logistics company DHL, US cable network C-Span, and French bank BNP Paribas.

City of London Police have arrested seven teenagers due to their suspected connections with a hacking group that is believed to be the recently prolific Lapsus$ group, BBC News reports.

“The City of London Police has been conducting an investigation with its partners into members of a hacking group,” Detective Inspector Michael O’Sullivan of the City of London Police said in a statement to The Verge. “Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing.”

In recent weeks, the Lapsus$ hacking group has taken credit for accessing company data from Nvidia, Samsung, Ubisoft, Okta, and even Microsoft, and according to a new Bloomberg report, an England-based teenager might be the person heading up the operation.

“Four researchers investigating the hacking group Lapsus$, on behalf of companies that were attacked, said they believe the teenager is the mastermind,” Bloomberg said. However, the teenager, who apparently uses the online aliases “White” and “breachbase,” has not been accused by law enforcement, and the researchers “haven’t been able to conclusively tie him to every hack Lapsus$ has claimed,” Bloomberg said.

After the disclosure of a hack affecting its authentication platform, Okta has maintained that the effects of the breach were mostly contained by security protocols and reiterated that users of the service do not need to take corrective action as a result.

The statements were made by David Bradbury, chief security officer at Okta, in a video call with customers and press Wednesday morning.

The hacking group Lapsus$, known for claiming to have hacked Nvidia, Samsung, and more, this week claimed it has even hacked Microsoft. The group posted a file that it claimed contains partial source code for Bing and Cortana in an archive holding nearly 37GB of data.

On Tuesday evening, after investigating, Microsoft confirmed the group that it calls DEV-0537 compromised “a single account” and stole parts of source code for some of its products. A blog post on its security site says Microsoft investigators have been tracking the Lapsus$ group for weeks, and details some of the methods they’ve used to compromise victims’ systems. According to the Microsoft Threat Intelligence Center (MSTIC), “the objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and destructive attacks against a targeted organization, often resulting in extortion. Tactics and objectives indicate this is a cybercriminal actor motivated by theft and destruction.”

Okta, an authentication company used by thousands of organizations around the world, has now confirmed an attacker had access to one of its employees’ laptops for five days in January 2022 and that around 2.5 percent of its customers may have been affected — but maintains its service “has not been breached and remains fully operational.”

The disclosure comes as hacking group Lapsus$ has posted screenshots to its Telegram channel claiming to be of Okta’s internal systems, including one that appears to show Okta’s Slack channels, and another with a Cloudflare interface.

Ubisoft experienced a “cyber security incident” last week that temporarily disrupted some games, systems, and services, the company reported Thursday. Ubisoft hasn’t said who might be responsible, but on Friday evening, the group who purportedly hacked Nvidia took credit.

Ubisoft said it believes that “at this time there is no evidence any player personal information was accessed or exposed as a by-product of this incident” and says that games and services are now “functioning normally.” Out of caution, the company also “initiated a company-wide password reset.” When asked for comment, Ubisoft spokesperson Jessica Roache said the company had no additional details to share.

Hackers have successfully stolen internal company data and source code for Galaxy devices from Samsung, the South Korean tech giant confirmed today.

News of the breach was first reported earlier this month, with a hacking outfit named Lapsus$ claiming responsibility. The group, which recently hacked Nvidia, shared screenshots purportedly showing roughly 200GB of stolen data, including source code used by Samsung for encryption and biometric unlocking functions on Galaxy hardware.

Nvidia never denied that it got hacked. The GPU giant just didn’t say all that much about what happened, either.

But now — as we wait to see whether the hackers make good on their threat to dump hundreds of gigabytes of proprietary Nvidia data on the web, including details about future graphics chips, by an unspecified Friday deadline — the compromised email alert website Have I Been Pwned suggests that the scope of the hack includes a staggering 71,000 employee emails and hashes that may have allowed the hackers to crack their passwords (via TechCrunch).

Nvidia has confirmed that it was hacked — and that the actor behind last week’s “incident” is leaking employee credentials and proprietary information onto the internet. In a statement to PCMag, Bloomberg, and VideoCardz, the company says it became aware of the breach on February 23rd, and that it does “not anticipate any disruption to [its] business or our ability to serve our customers as a result of the incident.”

Hacking group Lapsus$ has claimed responsibility for the attack, and has demanded that Nvidia make its drivers open-source if it doesn’t want more data leaked. Nvidia hasn’t necessarily agreed to those demands; the company says it’s made improvements to its security, notified law enforcement, and is working with cybersecurity experts to respond to the attack.