Uber Pins Security Breach And Huge GTA 6 Leak On Teen Hacking Group Being Targeted By FBI

LAPSUS$ first gained wide notoriety in February of this year after allegedly stealing 1TB of data from NVIDIA. While the group appears to have been active as early as December 2021, NVIDIA was the group’s first high profile victim. NVIDIA supposedly hit LAPSUS$ back with ransomware, but this counterstrike didn’t deter the group from continuing its hacking spree. LAPSUS$ went on to steal data from many more high-profile companies, including Samsung, Microsoft, and T-Mobile.
However, the hacking group’s activity came to an abrupt end in March when the London police arrested seven individuals suspected of participating in a hacking operation under the name LAPSUS$. The suspects, aged 16 to 21, included the leader of the group who went by the name “White.” These arrests were thought to be the end of LAPSUS$, as the group’s internal chat logs contained just seven members and their public communications have ceased.

That said, some mysteries regarding the group’s members and activity still linger. Like many recent cybercriminals, LAPSUS$ ran a public Telegram channel where it publicized its activity. This channel was created on December 9, 2021. LAPSUS$ was originally thought to be based in South America, as the group’s communications were initially issued primarily in Portuguese, and the group’s first targets were Brazilian. The NVIDIA breach marked a sudden shift for LAPSUS$, with the hacking group switching its communications exclusively to English and the group re-focusing on targets located outside of Brazil.
Perhaps there were more than just seven members of LAPSUS$. News of the seven arrests broke on March 24, but the hacking group’s last public communications are dated March 29. The group announced that it was “officially back from a vacation” and posted a link to a torrent of data stolen from Globant. Were the members of LAPSUS$ able to post these messages on Telegram while in custody, or were there members that escaped arrest?

Uber seems to believe that LAPSUS$ is still active in some capacity, having pinned its recent data breach on an actor affiliated with the hacking group. The company also acknowledged the reports that this same actor was behind the Rockstar Games data breach. That said, Uber’s investigation of the intrusion into its internal systems is still ongoing, so the company has yet to draw its final conclusions. The company said that it is in close contact with both the FBI and the Department of Justice. Uber also identified the account of an Uber EXT contractor as the initial access point for the hacker and reiterated that its investigation has revealed no evidence that the hacker accessed user accounts or data.
We’ll have to see if any further evidence surfaces that the actor, or actors, behind the Uber and Rockstar Games data breaches are linked to LAPSUS$ in some way. Both data breaches seem somewhat out of character for LAPSUS$. In the past, the hacking group has retained stolen data for a period before releasing it, using the data as leverage to make demands of the victim companies. In the case of the Rockstar Games breach, it looks as though the hacker posted the stolen game footage straight to the GTA forums. The hacker did indicate that he may have more data to share, but no demands were made of Rockstar Games.