Lapsus$ Group Cyberattacks: Methods, Motives, & Timeline

Lapsus$ is a hacker collective that launched a series of high profile cyberattacks, starting in late 2021. They initially targeted South American and Portuguese companies, before branching out to demand ransoms from increasingly high profile targets in 2022: Nvidia, Samsung, Ubisoft, and, most recently, Microsoft.

Though some describe Lapsus$ as a ransomware group, they do not rely on software to attack their victims. Instead, they lean heavily on insider threats and social engineering tactics such as phishing. They have even openly recruited insiders from their Telegram page:

WE ARE NOT LOOKING FOR DATA, WE ARE LOOKING FOR THE EMPLOYEE TO PROVIDE US A VPN OR CITRIX TO THE NETWORK, or some anydesk . . . You will be paid if you would like. Contact us to discuss that

Lapsus$’s motives are ostensibly financial, and they have repeatedly made statements to that effect. Per one Telegram post, “The only goal is money, our reasons are not political.”

But if money were their sole motive, Lapsus$ might keep a lower profile. They also seem to enjoy showing off to their audience of 38,000 Telegram followers – indicating they may also be chasing thrills and glory. To borrow a term from an older hacker collective, it is very possible Lapsus$ is doing it, at least in part, “for the lulz”.

Lapsus$’s initial run of attacks, focused in South America and Portugal, has led some to speculate Lapsus$ is based in Brazil. While it’s likely at least a few members live there, it’s even more likely this decentralized group has members in a dozen or more countries around the world.

Read on for the full history of Lapsus$, from its inception to its most recent cyberattacks.

12/9/2021: Lapsus$ makes Brazil’s Ministry of Health their first victim

On December 9, Lapsus$ launched their Telegram page and announced they had breached the Brazilian Ministry of Health. As part of their announcement, they demanded a ransom from the organization:

Over 50tb of data is copied from the cloud and intranet systems over the past weeks and has been erased from the Ministério da Saúde systems.

We request for the Ministério da Saúde ADMIN/EXECUTIVE to contact us on saudegroup@ctemplar.com for the data return. and to avoid leakage.

From what we can tell, Lapsus$ was able to obtain broad access to Brazilian health records. The Brazilian government claimed that they had backups of all the data that had been stolen and deleted, Lapsus$ disputed via Telegram.

12/30/2021: New Years’ spree targets Impresa, Claro, and more

Over New Years’ weekend, Lapsus$ launched an impressive string of attacks on targets including Impresa, a Portuguese media conglomerate, and Claro, a Latin American telecommunications company. Again, their motives appear to have been expressly financial:

We will come to some agreement, where such i delete the data in exchange for a small reward/fee.

Otherwise we will be forced to share the data with the public eye!

I should add that the leakage of the sensitive legal orders and wiretaps would cause law enforcement major issues

In addition to ransoming sensitive data, Lapsus$ also launched denial-of-service attacks to render their targets’ websites unusable. In one case, they redirected the homepage of car rental company Localiza to send users to a pornographic website.

2/8/2022: Lapsus$ steals Vodafone source code

In February, Lapsus$ teased that they had breached Vodafone via a short Telegram message, followed by a poll of “what to leak first”. In another poll in early March, they specified that they had accessed 5,000 GitHub repositories and obtained roughly 200 gigabytes of compressed data from Vodaphone.   

This poll also included MercadoLibre, an Argentine ecommerce company. But so far, there has not been much news regarding the Vodafone and MercadoLibre attacks – possibly because Lapsus$ found even more high profile targets to pursue.

2/23/2022: Lapsus$ breaches Nvidia

In late February, Lapsus$ broke into graphics card company Nvidia and looted nearly a terabyte of proprietary data, including schematics, firmware, and more. Nvidia said they first noticed the attack on February 23, but they were apparently unable to prevent Lapsus$ from making off with their bounty.

As the story broke, Lapsus$ announced the hack on their Telegram on February 27. Instead of demanding money, in this case Lapsus$ demanded Nvidia remove a crypto-mining limitation on their graphics cards:

We decided to help mining and gaming community, we want nvidia to push an update for all 30 series firmware that remove every lhr limitations otherwise we will leak hw folder.

If they remove the lhr we will forget about hw folder (it’s a big folder)

We both know lhr impact mining and gaming.

On March 1st, Lapsus$ expanded their demands and called on Nvidia to fully open source their GPU drivers. They also began offering leaked data for sale, at a minimum price of $1 million.

From what we can tell, Lapsus$ and Nvidia have not come to any kind of deal. In early March, Lapsus$ even accused of Nvidia of hacking them, which Nvidia currently denies.

3/4/2022: Lapsus$ leaks Samsung source codes & more

On March 4, Lapsus$ posted a torrent file to its Telegram including various source codes and algorithms pertaining to Samsung devices and software. In a media statement a few days later, Samsung acknowledged the breach and noted that no personal information regarding customers or employees had been leaked.

It’s unclear what, exactly, Lapsus$’s motivations were here. In this case, they did not make any clear demands, monetary or otherwise.

3/11/2022: Lapsus$ disrupts Ubisoft gaming services

On March 11, Ubisoft announced that they, too, had been targeted by a cyberattack causing disruptions to their online gaming services. When The Verge reported on the incident, Lapsus$ reposted the story to their Telegram page alongside a smirking emoji.

It’s unclear what Lapsus$’s motivations were in this case, and there has been little other news on the matter.

3/19/2022: Lapsus$ breaches Microsoft

On March 19, Lapsus$ posted a screenshot to their Telegram, teasing that they had breached the tech giant Microsoft. The screenshot indicated that they had compromised Bing, Cortana, and other Microsoft projects.

On March 21, Lapsus$ posted partial source codes for Bing, Bing Maps, and Cortana to their Telegram page. So far, it does not appear that any customer data was leaked in the data breach. However, we will continue to update this story as new details emerge.

Leave a Comment