Access Management , Governance & Risk Management
Lapsus$ Teens Out on Bail, Due Back in Court April 29Among Charges: Unauthorized Computer Access With Intent to Impair Data Reliability
Two teenagers arrested and charged by the City of London Police in connection with its investigation into the Lapsus$ hacking group have been released on bail for an undisclosed sum and are due back in court on April 29.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The City of London Police, which handles fraud reporting and cybercrime for the U.K, is investigating the Lapsus$ hacking group, which has claimed responsibility for data breaches involving Okta, Microsoft, Nvidia and Ubisoft, among others. Lapsus$ also claimed to be responsible for the Globant breach, which occurred after the arrests.
One of the accused, a 16-year-old, was charged with "causing a computer to perform a function to secure unauthorized access to a program," the police say. In addition to this, the teen - and their 17-year-old alleged co-conspirator - also face the following charges:
- Unauthorized access to a computer with intent to impair the reliability of data;
- Fraud by false representation;
- Unauthorized access to a computer with intent to hinder access to data.
Two teenagers have been charged in connection with an investigation into members of a hacking group. They will both appear at Highbury Corner Magistrates Court this morning.— City of London Police (@CityPolice) April 1, 2022
Full statement https://t.co/1ZREqukfzR pic.twitter.com/gpLcBPAym4
The BBC reports that the Highbury Corner Youth Court has released the teenagers on bail following the indictment on Friday. The court did not respond to Information Security Media Group's request for details on both the bail terms and the likely date of the upcoming sentencing hearing.
A spokeswoman for the City of London Police tells ISMG that the next hearing for the accused is scheduled for April 29 at the Southwark Crown Court, but she declined to provide further details, citing active court proceedings.
The charges came days after the London police said they had arrested seven people with reported ties to Lapsus$. (see: UK Police Arrest 7 Allegedly Tied to Lapsus$ Hacking Group)
Last month, the FBI sought information on the identities of the individuals in the threat group, saying: "… individuals from a group identifying themselves as Lapsus$ [have] posted on a social media platform and alleged to have stolen source code from a number of United States-based technology companies. These unidentified individuals took credit for both the theft and dissemination of proprietary data that they claim to have illegally obtained. The FBI is seeking information regarding the identities of the individuals responsible for these cyber intrusions."
How Lapsus$ Works
Lapsus$ has, for the past few months, been on a high-profile hacking spree, with at least five data breach claims to its credit.
Classified as an extortion actor, Lapsus$ breaches corporate networks, exfiltrates sensitive data and demands a ransom in return for not leaking the information online, according to a research report from cybersecurity firm Searchlight Security, which has been tracking the group closely.
Citing a chat on the group's Telegram page, Searchlight Security says that Lapsus$ does not deploy ransomware during its operations: "This has been confirmed in one instance by Lapsus$ itself on Telegram, stating 'we said it was a ransom, not a ransomware' in response to a chat member’s question about their tactics."
But Lapsus$ has also claimed to engage in data wiping against its targets, "raising the stakes for the data's return and thus the likelihood of ransoms being paid. That said, it is currently unclear whether any of Lapsus$' victims have paid up," Searchlight Security adds.
Lapsus$ also uses its Telegram channel to broadcast victims' identities and try to recruit insiders to infiltrate companies in return for a cut of the proceeds, says Chris Morgan, a senior cyberthreat intelligence analyst at threat intelligence firm Digital Shadows.
"Most extortion groups set up their own data leak website on The Onion Router network - aka Tor - for data leaking purposes. This comes with its own risks and limitations, such as being targeted by law enforcement and being exposed to a limited audience of users who know how to navigate Tor," Morgan says.
"Abusing a legitimate tool like Telegram ensures the Lapsus$ data leak channel on Telegram will see limited disruption and that their victims' identities can be exposed to anyone with an internet connection," he says. "Lapsus$ also runs polls on their data leak channel, providing members with the ability to decide whose data should be breached next; among cyber extortion groups, few involve their followers or the public in such a direct manner."
The security community had speculated on the group being an organized cybercrime syndicate or a potential nation-state actor, although it seems to lack apparent financial incentives.
"In some of their follow-up communications, their language appeared more interested in the notoriety and defensive of their capabilities and accomplishments than any financial motivation," says Ken Westin, director of security strategy at cybersecurity firm Cybereason.
Westin tells ISMG: "The hacking group appears young based on its modus operandi, or lack thereof - as if the members were surprised by their success."
"The security community underestimates the younger generation. We forget that teens today have not only grown up with computers, but also have access to an unprecedented number of educational resources on programming and offensive security," he says.
Chats, Attacks Continue After Arrest
It is too early to say if this will be the end of Lapsus$, as the arrests may still be a false flag, bad attribution, or even a framing job, Westin tells ISMG.
This may well be true. A Lapsus$ Telegram chat group - whose members have previously leaked data of compromised companies - continues to be active despite the arrests. Days after the police began a crackdown on Lapsus$ members, the group said it has returned from a "vacation" to leak more critical data.
On Thursday, nearly a week after the first set of reported arrests linked to the group, Lapsus$ leaked what appeared to be 70GB of data associated with the Luxembourg-based software development company Globant. It also appears to have leaked credentials of several DevOps platforms belonging to the company, including Jira, Confluence, Crucible and GitHub.
The threat group shared screenshots of a file directory that contains names of several companies, including tech giants Facebook, the Apple Health app, DHL, Citibank and BNP Paribas Cardiff, among others.