Microsoft refers to this cybergang by the more pedestrian moniker of “the DEV-5037 actor”, and noted, in a blog post earlier this week, that the group has been involved in:

[A] large-scale social engineering and extortion campaign against multiple organizations, with some seeing evidence of destructive elements.

According to Microsoft, the scale of the LAPSUS$ infiltrations has been huge:

Early observed attacks by DEV-0537 targeted cryptocurrency accounts resulting in compromise and theft of wallets and funds. As they expanded their attacks, the actors began targeting telecommunication, higher education, and government organizations in South America. More recent campaigns have expanded to include organizations globally spanning a variety of sectors. Based on observed activity, this group understands the interconnected nature of identities and trust relationships in modern technology ecosystems and targets telecommunications, technology, IT services and support companies – to leverage their access from one organization to access the partner or supplier organizations. They have also been observed targeting government entities, manufacturing, higher education, energy, retailers, and healthcare.

Source code grab

Indeed, as the article goes on to admit, Microsoft itself was one of the companies that LAPSUS$ managed to compromise, allegedly making off with gigabytes of Microsoft source code.

Fascinatingly, Microsoft notes that the LAPSUS$ crew went public even while that data theft was in progress (the group seems to like bragging openly on Telegram about hacks it’s busy with and businesses that it’s determined to embarrass).

The Microsoft security team wryly noted that “[t]his public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”

Other cybercrimes attibuted to LAPSUS$ include a January break-in at 2FA (two-factor authentication) service provider Okta, which ultimately only came to light this week…

…and an unusual extortion attempt against graphics card company Nvidia, which we discussed two weeks back on the Naked Security Podcast:

Most ransomware extortions, whether they’re old-school ransom notes offering decryption keys to unlock scrambled files, or whether they follow the more recent cybercrime path of blackmailing companies in return for not leaking, selling or dumping stolen data…

…demand money, often huge amounts of money, to be paid in cryptocurrency.

But in the Nvidia standover, the LAPSUS$ gang variously demanded Nvidia to open-source its graphics drivers, or to remove the limitations imposed on recent Nvidia graphics cards to restrict their use in cryptomining:

Seven suspects busted

Tonight, the news wires are buzzing with stories stating that seven suspected hackers have been arrested in the UK, with many headlines insisting that this is a “LAPSUS$ bust”.

So far, however [2022-03-25T00:01Z], we haven’t actually seen anything that explicitly connects these arrests with the DEV-0537 a.k.a. LAPSUS$ group.

The closest we’ve seen is a report on popular technology site TechCrunch quoting a City of London Police officer as saying:

[We have] been conducting an investigation with its partners into members of a hacking group. Seven people between the ages of 16 and 21 have been arrested in connection with this investigation and have all been released under investigation. Our enquiries remain ongoing.

You may also have seen reports earlier this week about a doxxing incident dating back to January 2022 in which a youngster allegedly from the Cherwell District in Oxfordshire, England, was “identified” as a kingpin in LAPSUS$.

Doxxing is where a cybercriminal publicly dumps what they claim is detailed personal information about another criminal they’ve fallen out with, or about a victim whose life they want to throw into disarray. “Dox” is short for “documents” in the same way that “tix” is short for tickets, so the verb “doxxing” means dumping official, or at least official-sounding, details about someone’s life, possibly also including information about their family.

Cybersecurity journalist Brian Krebs, for example, recently published an investigative writeup about LAPSUS$ and this alleged ringleader, who apparently uses a variety of handles including white and breachbase.

Intriguingly, the doxxed data claims that the youngster is 17 years old (he would have been 16 back in January, when the data was dumped), which would indeed put him within the 16-to-21 age bracket of the seven suspects arrested today, albeit that he would not be the youngest.

The unknown unknowns

As far as we are aware, however, neither the Thames Valley Police, who look after law enforcement in the Oxfordshire area (and who are, ironically, themselves headquarted in the Cherwell District), nor the City of London Police, whom we quoted above, have yet gone public with any specific information about these busts.

So we don’t officially know whether the alleged kingpin of LAPSUS$ is amongst the seven who’ve been busted, or even if the arrests are related to LAPSUS$ at all. (If breachbase were amongst those arrested, of course, the police would not identify him anyway if his age were 17.)