Teen suspected of being mastermind of Lapsus $ group that hacked Microsoft and Nvidia

NEW YORK (BLOOMBERG) – Cyber-security researchers investigating a string of hacks against technology companies, including Microsoft and Nvidia, have traced the attacks to a 16-year-old living at his mother’s house near Oxford, England. Four researchers investigating the hacking group Lapsus $, on behalf of companies that were attacked, said they believe the teenager is the mastermind.

Lapsus $ has befuddled cyber-security experts as it has embarked on a rampage of high-profile hacks. The motivation behind the attacks is still unclear, but some cyber-security researchers say they believe the group is motivated by money and notoriety.

The teen is suspected by the researchers of being behind some of the major hacks carried out by Lapsus $, but they have not been able to conclusively tie him to every hack Lapsus $ has claimed. The cyber researchers have used forensic evidence from the hacks as well as publicly available information to tie the teen to the hacking group.

Bloomberg News is not naming the alleged hacker, who goes by the online alias “White” and “breachbase”, is a minor and has not been publicly accused by law enforcement of any wrongdoing.

Another member of Lapsus $ is suspected to be a teenager residing in Brazil, according to the investigators. One person investigating the group said security researchers have identified seven unique accounts associated with the hacking group, indicating that there are likely others involved in the group’s operations.

The teen is so skilled at hacking – and so fast- that researchers initially thought the activity they were observing was automated, another person involved in the research said.

Lapsus $ has publicly taunted their victims, leaking their source code and internal documents. When Lapsus $ revealed it had breached authentication firm Okta, it sent the company into a public-relations crisis. In multiple blog posts, Okta disclosed that an engineer at a third-party vendor was breached, and that 2.5 percent of its customers may have been impacted.

Lapsus $ has even gone as far as to join the Zoom calls of companies they have breached, where they have taunted employees and consultants who are trying to clean up their hack, according to three of the people who responded to the hacks.

Microsoft, which itself confirmed it was hacked by Lapsus $, said in a blog post that the group has embarked on a “large-scale social engineering and extortion campaign against multiple organizations.”

The group’s primary modus operandi is to hack companies, steal their data and demand a ransom in order not to release it. Microsoft tracks Lapsus $ as “DEV-0537”, and said that the group has successfully recruited insiders at victimized companies in order to assist in their hacks.

The group suffers from poor operational security, according to two of the researchers, allowing cyber-security companies to gain intimate knowledge about the teenage hackers.

“Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks,” Microsoft said in a blog post. “They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations. DEV-0537 started targeting organizations in the United Kingdom and South America but expanded to global targets, including organizations in government, technology , telecom, media, retail and health-care sectors. “

The teenage hacker in England has had his personal information, including his address and information about his parents, posted online by rival hackers.

At an address listed in the leaked materials as the teen’s home near Oxford, a woman who identified herself as the boy’s mother talked to a Bloomberg reporter for about 10 minutes through a doorbell intercom system. The home is a modest terraced house on a quiet side street about five miles from Oxford University.

The woman said she was unaware of the allegations against her son or the leaked materials. She said she was disturbed that videos and pictures of her home and the teen’s father’s home were included. The mother said the teenager lives at that address and had been harassed by others, but many of the other leaked details could not be confirmed.

Leave a Comment