British cops arrest seven in Lapsus$ crime gang probe

Bitcoin millionaire teen said to be among those detained


British cops investigating a cyber-crime group have made a string of arrests.

Though City of London Police gave few details on Thursday, officers are said to be probing the notorious extortionware gang Lapsus$, and have detained and released seven people aged 16 to 21.

In a statement, the force said: "Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing."

Among them is a 16-year-old boy from Oxford who has been accused of being one of the crew's leaders, the BBC reported. He cannot be identified for legal reasons.

"I had never heard about any of this until recently," the boy's father was quoted as saying by the broadcaster. "He's never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games. We're going to try to stop him from going on computers."

Bloomberg first reported the boy's alleged involvement with the extortion gang on Wednesday, and claims by security researchers that he was the crew's mastermind. Lapsus$ is the devil-may-care team of miscreants that have broken into major firms including Microsoft, Samsung, Vodafone, and Okta.

It is said the boy netted about $14m in Bitcoin from his online life, and was lately doxxed – which means he had his personal info leaked online – after an apparent falling out with his business partners. Palo Alto Networks and infosec outfit Unit 221B meanwhile said they have been tracking who they believe to be the leader of the crew since last year, and know that person's identity, but could not confirm the arrested 16-year-old was the brains behind the extortion operation.

"We've had his name since the middle of last year and we identified him before the doxxing," Allison Nixon, chief research officer at Unit 221B, told the BBC. She added that the netizen they were monitoring had left a trail of clues to their identity due to OPSEC mistakes.

"Unit 42, together with researchers at Unit 221B, identified the primary actor behind the Lapsus$ Group moniker in 2021, and have been assisting law enforcement in their efforts to prosecute this group," Palo Alto Networks added.

Lapsus$ rise and fall

The cyber-crime ring rose to fame in recent months for its brash tactics and its propensity to brag about its exploits on Telegram. Its standard operating procedure is to infiltrate a big target's network, steal sensitive internal data, make demands to prevent the public release of this material – and usually release some of it anyway.

Lapsus$ was believed to be based in Brazil as its earliest victims included that country's Ministry of Health and Portuguese media outlets SIC Noticias and Expresso. 

In February, however, the criminals sneaked into Nvidia's networks and stole one terabyte of data including employee credentials and proprietary information, and dumped some of it online.

Days later Lapsus$ said it had raided Samsung and stole 190GB of internal files including some Galaxy device source code. 

The criminal group followed that up by claiming it was responsible for a cybersecurity incident at gaming giant Ubisoft.

'Motivated by theft and destruction'

Microsoft, in its days-late confirmation that Lapsus$, which the Windows giant calls DEV-0537, did indeed steal some of its source code, and said the crime group seems to be "motivated by theft and destruction." Microsoft added:

Unlike most activity groups that stay under the radar, DEV-0537 doesn't seem to cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations. DEV-0537 also uses several tactics that are less frequently used by other threat actors tracked by Microsoft.

Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.

In an email to The Register, endpoint security vendor Cybereason's Director of Security Strategy Ken Westin said he wouldn't be surprised if the notorious cyber-crime ring's bosses do turn out to be teenagers.

"The security community underestimates the younger generation," he wrote. "We forget teens today have not only grown up with computers, but also have access to an unprecedented number of educational resources on programming and offensive security."

Like others, Westin said he suspected the group was young "based on their modus operandi, or lack thereof."

"It was as if they were surprised by their success and were not sure what to do with it," he noted. 

Today's teens can see how much money cyber-criminals make from ransomware and other destructive attacks. "They are the new rockstars," Westin said. "You pair this with the fact kids have been cooped up for years often with nothing but the internet to entertain themselves and we shouldn't be surprised we have skilled hackers." ®


Other stories you might like

  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • OpenSea phishing threat after rogue insider leaks customer email addresses
    Worse, imagine someone finding out you bought one of its NFTs

    The choppy waters continue at OpenSea, whose security boss this week disclosed the NFT marketplace suffered an insider attack that could lead to hundreds of thousands of people fending off phishing attempts.

    An employee of OpenSea's email delivery vendor Customer.io "misused" their access to download and share OpenSea users' and newsletter subscribers' email addresses "with an unauthorized external party," Head of Security Cory Hardman warned on Wednesday. 

    "If you have shared your email with OpenSea in the past, you should assume you were impacted," Hardman continued. 

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading

Biting the hand that feeds IT © 1998–2022