Hunt for Lapsus$ Hackers Leads to a British Teen

Credit to Author: Andrew Couts| Date: Sat, 26 Mar 2022 13:00:00 +0000

To revist this article, visit My Profile, then View saved stories.

To revist this article, visit My Profile, then View saved stories.

There are quiet weeks in the security world, and then there are weeks like this one. 

Monday kicked off with the Lapsus$ extortion gang—a cybercriminal group so bizarre and with such high-profile targets that some people suspected they were Russian state-sponsored hackers—claiming that it had breached Okta, a popular authentication services company, just hours after it leaked source code for Microsoft's Bing search, Bing Maps, and Cortana voice assistant. Given that Okta is used by some 14,000 companies, the news seemed “really, really bad," as one security expert told WIRED. Okta's fumbled messaging around the incident only made matters worse. Ultimately, the company said that hackers had accessed the accounts of an employee at third-party Okta subprocessor Sykes, potentially putting as many as 366 customers at risk. But, as we'll get into below, that was only the start of Lapsus$'s eventful week.

Russia's tragic war against Ukraine, meanwhile, continues to overshadow all else. As the destabilizing destruction continues, we detailed the tightrope President Biden (and, by extension, the NATO alliance) must walk as Russian president Vladimir Putin grows increasingly isolated and the apparent likelihood of Russia claiming control of Ukraine dwindles. We also took a look back at the biggest hack to take place since the war began in late February. The attack, against the ground network of the KA-SAT satellite owned by US-based Viasat, bricked modems and otherwise knocked offline some 27,000 customers across Europe. The mystery of who carried out the attack, however, has reportedly been solved. (Hint: Russia.)

The ceaseless saga of Russian hackers culminated on Thursday when the US Department of Justice unsealed a pair of indictments against alleged Russian government hackers who authorities say targeted US and international energy companies worldwide. One indictment focuses on three hackers said to work for Russian intelligence agency FSB, as part of a group known by security researchers as Berserk Bear, Dragonfly 2.0, and Havex. While Berserk Bear's alleged hacking targeted nuclear facilities in the US, the group is not known to have caused any physical destruction as part of its hacking activities. The same cannot be said for the Russian hacker group known as Xenotime, which security researchers say caused disruptions at a Saudi oil refinery in 2017 and, according to the second indictment unsealed Thursday, targeted a US oil refinery with similarly dangerous intentions.

Follow along for the latest on these stories and more in this week's security news roundup.

Soon after Lapsus$ claimed to have hacked Okta and leaked Microsoft source code (which Microsoft later confirmed), Bloomberg reported that security researchers identified the gang's ringleader to be a teenager from Oxford, UK, who's “so skilled at hacking—and so fast—that researchers initially thought the activity they were observing was automated.” Almost as quick were the arrests that followed: The BBC reported hours after Bloomberg's report that City of London police arrested seven people, ages 16 to 21, in connection with Lapsus$ activity, which in addition to targeting Okta and Microsoft reportedly included hacking Samsung, Nvidia, EA, and Ubisoft. The 16-year-old identified by security researchers may or may not have been among the arrested group. Regardless, police reportedly released all seven without charges, and the gang's chaotic energy has so far continued unabated.

The main lingering question surrounding the Viasat satellite hack, which disrupted Ukranian military communications along with that of tens of thousands of civilian and corporate customers throughout Europe, was whodunnit? The answer, as expected, was Russia, according to unnamed US officials who spoke with The Washington Post. Specifically, the attack was reportedly instigated by the GRU, the Russian military intelligence agency. While the GRU is home to Sandworm, the hacker group responsible for carrying out devastating cyberattacks against Ukraine and unleashing the costly NotPetya cyberattack, it's not known whether Sandworm hackers were involved in the Viasat hack.

The White House on Monday warned US companies of “evolving intelligence that Russia may be exploring options for potential cyberattacks” in retaliation for US sanctions against Russia over its war against Ukraine. The White House offered few details but hinted at classified briefings for potential targets and urged companies to institute stronger security safeguards. Given the Biden administration's tactic of releasing intelligence in the lead-up to Russia's invasion of Ukraine last month that proved accurate, many assumed an attack could be imminent. As the week wore on, more details emerged: CNN reported that the FBI had warned five US energy companies that Russian hackers had scanned their networks—an early step often used to identify potential avenues of attack. And the US Cybersecurity and Infrastructure Security Agency held a call with more than 13,000 “industry ‘stakeholders’” to answer their questions and further encourage more robust security on corporate networks. 

Russia isn't the only country whose hackers have been busy. Google's Threat Analysis Group this week revealed that North Korean hackers successfully exploited a zero-day vulnerability in the Chrome web browser for roughly a month before the company issued a patch. One campaign, which TAG researchers dubbed Operation Dream Job, targeted some 250 people in media and tech with fake job recruiter emails that included a link that, when clicked, would initiate the exploit kit. The other campaign, Operation AppleJeus, specifically targeted 85 people in cryptocurrency and fintech using the same exploit kit that was deployed in Operation Dream Job. While North Korean hackers have used similar tactics before, the revelation serves as a reminder to always update your apps.

https://www.wired.com/category/security/feed/