Uber Pins Security Breach And Huge GTA 6 Leak On Teen Hacking Group Being Targeted By FBI
Last week, a massive security breach rocked Uber, with a teenage hacker claiming credit for the incident. Then, over the weekend, someone claiming to be this same hacker leaked Grand Theft Auto (GTA) 6 gameplay footage on the GTA forums. The developer of the GTA series, Rockstar Games, later confirmed the authenticity of the leaked footage and disclosed a recent data breach in which an unauthorized third party accessed its internal systems and downloaded the footage. Uber, now further into the investigation of its own data breach, has published a statement linking the two incidents to the teenage hacking group LAPSUS$.
LAPSUS$ first gained wide notoriety in February of this year after allegedly stealing 1TB of data from NVIDIA. While the group appears to have been active as early as December 2021, NVIDIA was the group’s first high profile victim. NVIDIA supposedly hit LAPSUS$ back with ransomware, but this counterstrike didn’t deter the group from continuing its hacking spree. LAPSUS$ went on to steal data from many more high-profile companies, including Samsung, Microsoft, and T-Mobile.
However, the hacking group’s activity came to an abrupt end in March when the London police arrested seven individuals suspected of participating in a hacking operation under the name LAPSUS$. The suspects, aged 16 to 21, included the leader of the group who went by the name “White.” These arrests were thought to be the end of LAPSUS$, as the group’s internal chat logs contained just seven members and their public communications have ceased.
LAPSUS$ first gained wide notoriety in February of this year after allegedly stealing 1TB of data from NVIDIA. While the group appears to have been active as early as December 2021, NVIDIA was the group’s first high profile victim. NVIDIA supposedly hit LAPSUS$ back with ransomware, but this counterstrike didn’t deter the group from continuing its hacking spree. LAPSUS$ went on to steal data from many more high-profile companies, including Samsung, Microsoft, and T-Mobile.
However, the hacking group’s activity came to an abrupt end in March when the London police arrested seven individuals suspected of participating in a hacking operation under the name LAPSUS$. The suspects, aged 16 to 21, included the leader of the group who went by the name “White.” These arrests were thought to be the end of LAPSUS$, as the group’s internal chat logs contained just seven members and their public communications have ceased.
That said, some mysteries regarding the group’s members and activity still linger. Like many recent cybercriminals, LAPSUS$ ran a public Telegram channel where it publicized its activity. This channel was created on December 9, 2021. LAPSUS$ was originally thought to be based in South America, as the group’s communications were initially issued primarily in Portuguese, and the group’s first targets were Brazilian. The NVIDIA breach marked a sudden shift for LAPSUS$, with the hacking group switching its communications exclusively to English and the group re-focusing on targets located outside of Brazil.
The fact that the seven members of LAPSUS$ arrested in the UK turned out to be youngsters living with their parents makes the first months of the group’s public activity puzzling. Were the group’s members trying to present themselves as a Brazilian hacking group by beginning with Brazilian targets and issuing statements in Portuguese or is there more to this story?
Perhaps there were more than just seven members of LAPSUS$. News of the seven arrests broke on March 24, but the hacking group’s last public communications are dated March 29. The group announced that it was “officially back from a vacation” and posted a link to a torrent of data stolen from Globant. Were the members of LAPSUS$ able to post these messages on Telegram while in custody, or were there members that escaped arrest?
Perhaps there were more than just seven members of LAPSUS$. News of the seven arrests broke on March 24, but the hacking group’s last public communications are dated March 29. The group announced that it was “officially back from a vacation” and posted a link to a torrent of data stolen from Globant. Were the members of LAPSUS$ able to post these messages on Telegram while in custody, or were there members that escaped arrest?
Uber seems to believe that LAPSUS$ is still active in some capacity, having pinned its recent data breach on an actor affiliated with the hacking group. The company also acknowledged the reports that this same actor was behind the Rockstar Games data breach. That said, Uber’s investigation of the intrusion into its internal systems is still ongoing, so the company has yet to draw its final conclusions. The company said that it is in close contact with both the FBI and the Department of Justice. Uber also identified the account of an Uber EXT contractor as the initial access point for the hacker and reiterated that its investigation has revealed no evidence that the hacker accessed user accounts or data.
We’ll have to see if any further evidence surfaces that the actor, or actors, behind the Uber and Rockstar Games data breaches are linked to LAPSUS$ in some way. Both data breaches seem somewhat out of character for LAPSUS$. In the past, the hacking group has retained stolen data for a period before releasing it, using the data as leverage to make demands of the victim companies. In the case of the Rockstar Games breach, it looks as though the hacker posted the stolen game footage straight to the GTA forums. The hacker did indicate that he may have more data to share, but no demands were made of Rockstar Games.
The Uber data breach is even more puzzling, as the hacker has yet to publicly indicate any intentions to release stolen data or said data to make demands of Uber. He simply posted a handful of screenshots and sent a message in Uber’s internal Slack workspace with a hashtag stating the Uber underpays its drivers. Both LAPSUS$’ Telegram and Matrix channels also remain inactive. If LAPSUS$ was involved in these recent data breaches, they would seem to mark a new chapter for the hacking group.
