London police announced Friday that two teenagers had been charged with hacking crimes in connection to LAPSUS$, a cybercriminal gang that has managed to breach some of the biggest tech companies in the world over the past few months. Far from disintegrating in a leadership vacuum, though, the gang has continued to make digital mayhem without them.
The unnamed teens, a 16-year-old and a 17-year-old boy, face a bevy of charges, including “three counts of unauthorised access to a computer with intent to impair the reliability of data; one count of fraud by false representation and one count of unauthorised access to a computer with intent to hinder access to data,” Scotland Yard said. The duo, who remain in custody, were scheduled to appear in Highbury Corner Magistrates’ Court on Friday. A total of seven people were recently arrested in connection to the gang. The oldest of them is 21.
While the jailing of several of its alleged members would seem to signal an end to LAPSUS$, the group is, in fact, keeping busy. It hacked a new company earlier this week, and the fallout from its past escapades goes on.
After the arrests, a new LAPSUS$ hack
In a matter of months, LAPSUS$ has managed to conduct a series of remarkably successful cyberattacks on the likes of Microsoft, Samsung, Nvidia, and other big name firms. The gang has leaked much of its victims’ data to the web and has often seemed motivated less by money than by a desire for fame and notoriety.
LAPSUS$’ newest victim is the global software developer Globant, which claims as its clients several blue chip technology companies. On Tuesday, LAPSUS$ updated its Telegram “leak” page with the following: “For anyone who is interested about the poor security practices in use at Globant.com. i will expose the admin credentials for ALL there [sic] devops platforms below.” The gang then dumped a bevy of passwords, along with a link to what it said was 70 gigabytes of Globant’s internal data. According to the gang, this tranche included some internal source code for several of Globant’s biggest clients, including Facebook and Apple.
When reached for comment on this incident, Globant referred Gizmodo to a prepared statement about the breach. The statement admits reads, in part:
According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients. To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected.
That doesn’t mean Globant’s clients escaped the hack. Gizmodo spoke with Amir Hadzipasic, CEO of cybersecurity firm SOS Intelligence, who has been assessing the leak material. Hadzipasic said that the leak includes a wealth of proprietary data from both Globant and the companies that use its software.
“The leak archive contains a number of repositories, totaling some 70GBs worth of source code. We found that the repositories contain very sensitive information (beyond the Intellectual property of the source code itself),” he said.
Gizmodo also reached out to Apple and Facebook for comment on the alleged leaks and will update this story if they respond.
LAPSUS$ hacker appears to have stolen data from Meta and Apple
Another curious twist in the LAPSUS$ story comes alongside the emergence of a bizarre new cybercrime trend. On Tuesday, cybersecurity blogger Brian Krebs revealed that hackers had been using compromised law enforcement email accounts to submit phony data requests to tech companies to steal user information. The likes of Discord, Apple, and Meta have been fooled by this ploy and handed over an unknown amount of user data to hackers. At least one of the cybercriminals involved in these schemes is an alleged member of LAPSUS$.
On Wednesday, Bloomberg reported that hackers associated with a now defunct cybercrime group known as “Recursion Team” are reputed to be behind some of the fake data request attacks. While “Recursion” is no more, its former members are reportedly still active and are now affiliated with LAPSUS$.
We may get more information on the saga soon. On Thursday, Senator Ron Wyden (D-Oregon) announced that he had asked for clarity from tech companies and federal agencies on just how many fake data requests have resulted in user information being compromised. The senator also says that he has already “authored legislation to stamp out forged warrants and subpoenas.”
“I’m particularly troubled by the prospect that forged emergency orders may be coming from compromised foreign law enforcement agencies, and then used to target vulnerable individuals,” said Sen. Wyden in a statement provided to Gizmodo.
Sitel and Okta’s Woes
Another area of ongoing concern in the LAPSUS$ story involves the customer service giant Sitel, whose hacking led to the compromise of other companies’ data. One of LAPSUS$’ most prominent victims, Okta, was breached via its relationship with Sitel, which serves as a third-party service provider to the identity verification firm. In turn, Sitel says it was compromised by a legacy network being run by one of its recent acquisitions, an IT services firm called Sykes. Okta’s breach may have affected as many as 366 of its own clients, meaning hundreds of other companies are potentially feeling the impacts of this hack.
On Tuesday, Sitel published a blog disclaiming that it couldn’t say anything about its role as a starting point for LAPSUS$’ incursions.
“In full transparency, we are cooperating with law enforcement on this ongoing investigation and are unable to comment publicly on some of the details of the incident,” the statement reads.
Some security researchers who read Sitel’s statement noted the use of the plural term “clients,” which might imply that more companies than Okta were impacted by the cyberattack. Sitel has a sizable client base, including—you guessed it—large tech companies, the gang’s favorite targets.
When Gizmodo reached out to Sitel and inquired as to how many of its clients had been impacted by the recent cyber incident, the company merely referred us to the previously released statement. “Sitel Group have nothing further to add at this time beyond what is on their website,” said a representative via email. The company seems to have given similar answers to other outlets that inquired.