<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">

RL Blog


The Week in Security: Is Lapsus$ back in action?

Carolynn van Arsdale
Blog Author

Carolynn van Arsdale, Writer, ReversingLabs.


Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team about the most pressing topics in cybersecurity. This week: The famous hacking group Lapsus$ appears to be back in action. Also: Russian cyber spies are targeting Ukraine by posing as internet providers. 

This Week’s Top Story

What’s the deal with Lapsus$? 

Last week was a big news week for data breaches. It was released on Friday that Uber was hit with a major data breach. And not long after, Rockstar Games, the video game company famous for its hit game Grand Theft Auto (GTA), also suffered a data breach

For Uber, huge amounts of their internal network were accessed by an 18-year-old hacker who made themself known on the company’s Slack channel, announcing to employees last Thursday that Uber had been officially hacked. For Rockstar Games, the company shared that it suffered a “network intrusion” attack in which the hacker illegally downloaded footage of the not-yet-released GTA VI. 90 video clips from GTA VI were then leaked to the internet following the hack.  

Not only are these incidents similar for the kind of attack hackers managed to pull off on both companies, but the threat actors behind both incidents may be related. On Monday, Uber shared an additional statement about their breach, claiming that they believe the attacker behind the incident to be a part of Lapsus$, a famous hacking group that we’ve highlighted before. 

The data breach that Rockstar Games suffered may be connected due to how the leaked GTA footage was released. The leaked video clips, posted on GTAForums by a user named “teapotuberhacker,” suggest that this user may be the same individual that hacked Uber, reports The Hacker News. This then begs the question: did Lapsus$ target both Uber and Rockstar Games, just days apart? 

Lapsus$ first made moves back in December of 2021 with an attack on Brazil’s Ministry of Health, but was hit with international attention in March of 2022 for a string of major hacks that  targeted Microsoft, Okta, NVIDIA, Samsung, and Vodafone. The hacking group has been known to use low-tech methods to score big data thefts of major companies and organizations. This week’s most recent breaches also align with this summation of the group. 

Major media attention of the group’s attacks were followed by the swift legal prosecution of 2 Lapsus$ members in the U.K., both younger than 18-years-old. Despite these arrests, Lapsus$ activity did continue, but quieted down in the months to follow (until now, of course). 

While it still isn’t known for certain that Lapsus$ is behind both the Uber and Rockstar Games hacks, it’s clear that there is major concern towards young individuals (teenagers more specifically) being able to target major companies with little high-tech skill. This says a great deal about not only the changing threat actor landscape, but also of major companies’ lack of cybersecurity protocols. 

News Roundup

Here are the stories we’re paying attention to this week… 

Microsoft Defender for Endpoint will turn on tamper detection by default (BleepingComputer)

Microsoft says tamper protection will soon be turned on by default for all enterprise customers in Microsoft Defender for Endpoint (MDE) for better defense against ransomware attacks.

IT giants warn of ongoing Chromeloader malware campaigns (Security Affairs)

This week, VMware and Microsoft warned of an ongoing, widespread Chromeloader malware campaign that is dropping malicious browser extensions, node-WebKit malware, and ransomware.

American Airlines suffers a data breach (Gizmodo)

American Airlines experienced a breach of its customer and employee data in early July. The company announced the hack more than two months later in a letter to affected customers sent on Friday. 

Russian cyberspies targeting Ukraine pose as telecom providers (Security Week)

A Russian cyberespionage group tracked as UAC-0113 is using dynamic DNS domains masquerading as telecommunications providers in ongoing attacks targeting entities in Ukraine, Recorded Future reports.

France and Germany fall foul to Europe's data retention rules (The Register)

On Tuesday, the European Court of Justice (ECJ) issued rulings that limit indiscriminate data retention in France and Germany.

More Blog Posts

    Special Reports