City of London Police say they have arrested seven teenagers over their suspected connections to hacker group Lapsus$.
The group has run extortion campaigns in the UK and South America, and has now expanded to global targets, including organisations in government, technology, telecom, media, retail and healthcare.
“Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing,” said City of London Police.
On 23 March, Bloomberg reported that a 16-year-old teenager from Oxford, who uses the online aliases “White” and “Breachbase”, was the mastermind behind the group, although City of London Police have not commented on whether he was one of the people arrested.
The Bloomberg report also said researchers “haven’t been able to conclusively tie him to every hack Lapsus$ has claimed,” but added they had been tracking “White” for nearly a year through a trail of activity linked to the teenager’s online accounts.
“We did it by watching the post history of an account and seeing older posts provide contact information for the guy,” said Allison Nixon, chief research officer at cyber security investigation company Unit 221B.
The teenager’s father told the BBC: “I had never heard about any of this until recently. He’s never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games.”
Although some researchers have labelled Lapsus$ a ransomware gang, Palo Alto’s Unit 42 (which worked with Unit 221B to track “White”) noted in a blog post that the group was notable for not using ransomware in its extortion attempts.
“In today’s environment, threat actors favour using ransomware to encrypt data and systems and often extort victims for significant amounts of cryptocurrency in exchange for decryption keys, sometimes turning up the pressure with the threat of publishing stolen data. Lapsus$, however, is unusual in its approach – for this group, notoriety most often appears to be the goal, rather than financial gain,” it said, adding Unit 42 has helped a number of organistions respond to multiple Lapsus$ attacks.
“The Lapsus$ Group doesn’t employ malware in breached victim environments, doesn’t encrypt data and in most cases, doesn’t actually employ extortion. They focus on using a combination of stolen credentials and social engineering to gain access to victims. We’ve also seen them solicit employees on Telegram for their login credentials at specific companies in industries including telecom, software, gaming, hosting providers and call centres.”
Cyber security firm Check Point came to similar conclusions in its own blog post, but added that Lapsus$ maintains a “very active Telegram group” with over 35,000 subscribers, where it posts interactive polls on who its next target should be.
Unit 42 added that even without ransomware the group’s attacks have been very damaging, with destructive attacks taking place where the threat actor gained access to cloud environments, wiped systems and destroyed over 1,000 virtual machines.
Unit 42 also said the group’s “diversity of techniques” means there is no single defence against its attacks, but adding zero-trust network architecture and strong security hygiene were the best option.
“If Lapsus$ has purchased credentials for a network, they can effectively operate as an insider threat, taking advantage of the same privileges the employee has inside the network,” it said.
“Focus on general information security best practices: multi-factor authentication, access controls and network segmentation. Ensure your organisation has the ability to detect anomalous activity, including activity that involves trusted third parties in your environments, and protect against non-technical techniques such as vishing and SIM-swapping.
“Patching of internal systems that might support lateral movement and privilege escalation should be prioritised, as well as against known public exploits that these actors might employ.”