Two teenagers charged with Lapsus$ cyber attacks

The City of London Police has charged two teenagers, one aged 16 and the other 17, in connection with an ongoing investigation into the Lapsus$ cyber crime gang.

The two individuals, whose identities cannot legally be revealed because they are under the age of 18, are understood to be among seven arrested on 25 March as part of the force’s investigation into a series of cyber attacks conducted by Lapsus$.

Detective inspector Michael O’Sullivan of the City of London Police said: “The City of London Police has been conducting an investigation into members of a hacking group. Two teenagers, a 16-year-old and a 17-year-old, have been charged in connection with this investigation and remain in police custody.

“Both teenagers have been charged with three counts of unauthorised access to a computer with intent to impair the reliability of data, one count of fraud by false representation and one count of unauthorised access to a computer with intent to hinder access to data.

“The 16-year-old has also been charged with one count of causing a computer to perform a function to secure unauthorised access to a program.

“They will both appear at Highbury Corner Magistrates Court this morning (1 April 2022).”

The Lapsus$ group, which is also tracked as DEV-0537, has attacked and leaked data from a number of high-profile technology companies, including Nvidia, Samsung, Ubisoft, Okta and Microsoft, in a four-month spree. It “went dark” following the arrests, but since last week, individuals associated with the group have leaked internal and customer data from software development platform provider Globant.

Lapsus$ was initially referred to by many as a ransomware gang, but it has since become apparent that it does not deploy ransomware in the traditional sense, but rather moves straight to what might be termed the second stage of a double extortion attack – stealing data and demanding a ransom not to leak it.

Lapsus$ is notable for its use of tactics that are less usually associated with high-profile threat actors, including phone-based social engineering, SIM-swapping to take over accounts, hacking into the personal email accounts of employees at its target organisations, and even paying employees, suppliers and partners of its targets to obtain valid network credentials.

Searchlight Security analysts said the group’s relative youthfulness was clearly displayed by its “chaotic organising on Telegram, its methods of publicly crowdfunding access to corporate networks, and its reckless attitude towards protecting its reputation within cyber crime circles”.

In an article published by Wired in March, Mandiant’s Charles Carmakal said the group’s modus operandi was more reminiscent of hacktivist collectives such as Lulzsec and Anonymous, which had more politically oriented than financial motives, and in many cases hacked for the fun of it.