This is wild. What is the psychology behind this group? If they're not deploying ransomware, it seems like their purpose is to penetrate companies "because they can." Publicly offering to pay employees for credentials is a dynamic that I've never heard, and in a rule-less game, seems like it breaks new rules.
Yeah they are selling some of the exploits (the low hash rate enable on nvidia cards) but even then they say that with what they released it up until now it would be possible to figure out the way to do it by yourself. So the "for the lulz" element is very much central to their breaches and honestly that's a bit... refreshing? Not that I side with them or anything, but this is definitely more fun than ransomware.
> Not that I side with them or anything, but this is definitely more fun than ransomware.
I don't side with them. In the grand scheme of things they did open my eyes to the terrible IR processes of a much hyped company (okta), and they exposed how poor their product is/was. Security companies should be held to a higher standard when discussing breaches and IR. okta very much deserved it (and so does microsoft a 1000x). I don't endorse it but I can't hide my Schadenfreude either.
Or maybe they just want stuff for themselves and then uploaded it for the lulz?
I've heard of someone who completely reverse engineered the iTunes DRM just because he wanted to download 4K to watch the series that he had "bought" from Apple offline on his TV. It's more of a myth because that person refuses to release source code or details, but then again that is probably a sane decision. Still, I would be willing to believe that someone would do that just because they themselves feel irritated by the DRM.
Add a bit of youthful rakishness and someone might then upload the result to bittorrent, just because they can and don't care, i.e. "for the lulz".
Yup; the Russian hacker groups are supposedly independent, Anonymous is supposedly independent, but there's probably some pretty big overlaps in Venn diagrams if you look closer.
I used to be on an IRC server that ran a honeypot to then find actual compromised servers and check them out - IIRC there were Ecuadorean government servers, and a load of routers in India, etc.
Most of it was just malware analysis and people creating pubstro servers for fun with different communities.
its like superfriends, everyone has thier own gig and support each other when crossing paths, but the hall of justice/legion of doom is the muster point when SHTF
Reminds me of what deletescape and their associates did. They just broke into stuff and leaked it. There's lots of tweets and telegram messages explaining their motives. Now most of the tweets and telegram messages are deleted but there's still some to see in article's and even in the FBI indictment.
Tillie had TERRIBLE opsec from day one tho. Everyone knew her real name and face. I once mentioned this in the group chat and she promptly tweeted a selfie saying "don't have opsec like me".
Considering this, it lastes pretty long actually.
Disclaimer: I was in no way involved and publicly stated my disapproval in the deletescape Chats. It was however a thrill to see these things go down. Although it is equally as sad how this young lady threw away a lot of future potential for her ideals, without making any significant changes imo
They seem to be someone who is clearly inexperienced and support "hacker ethos" and don't really know what they want. They started talking about "demanding" code under open source licenses and stuff like that....
I think they are just some young hackers that started punching above their weight, and something will happen to them sooner or later. But let's see
I find it hard to believe that someone who is "clearly inexperienced" has managed to do a lot of high-level hacks in a short amount of time; I mean if someone who is "clearly inexperienced" has the capacity to do all that, we are so fucked.
> I mean if someone who is "clearly inexperienced" has the capacity to do all that, we are so fucked.
I don’t know whether or not these folks are inexperienced, but it’s hard to overstate how truly bad software is, these days. Many software developers are inexperienced, and the entire industry is built like a house of cards.
The bar is very, very low, and over reliance on dependencies seems to be something that programmers actually boast about. Another point of pride seems to be deliberately ignoring experience and a careful approach (“Move fast and break things”).
But there’s certainly good money in being a security consultant. Lots of low-hanging fruit. That industry is growing like a weed.
These days? I remember in the late 90s, early 2000s, and it really felt like 1/3 or so of all websites were vulnerable to things like PHP injection and SQL injection. I remember having to bypass login pages to do benign things like changing my password.
Websites have always been bad. In fact, they are probably better, these days, than they used to be. Web designers have traditionally not really been engineers, as such, so we can't really expect engineering discipline from them.
Despite that, I feel like Web designers are a bit more disciplined, these days, than the days of yore. It may be because the industry has matured, and there's now a prevalence of knowledge on the matter (as well as a lot of tools and frameworks that are actually pretty good).
The actual software behind them, that said tools and frameworks connect to, on the other hand...
Considering the expansion rate of the developer market, chances are that rate has actually gone down. But so has the intelligence of attackers, for the same reason.
> has managed to do a lot of high-level hacks in a short amount of time
Correct me if I’m wrong but do their attacks actually involve significant skill?
Their offer of buying credentials/access from employees suggests their bank account might ultimately be bigger than their skills and they’re leveraging that approach.
Of course, the question is, where is that money coming from and whether anyone is bankrolling them, and if so, what their motives are.
> Of course, the question is, where is that money coming from and whether anyone is bankrolling them, and if so, what their motives are.
Wild speculation here, but if they are located in a country that is recently a lot less friendly with the west, maybe they decided that being overt isn't a real problem given what they are doing is de facto legal where they live. Being a Belarusian or Russian cybercriminal targeting the west is probably less risky now than ever before (and it wasn't especially problematic before.)
I was talking about their ability to bribe company insiders. You need to have money to begin with to be able to pay said bribes - where is it coming from, and why are they spending money to breach into companies for seemingly no major benefit?
Never underestimate how much time, energy, and a total lack of care for rules a university student has, whilst simultaneously looking for something to prove[1]
From what I understand (IANAL), the bar for what constitutes criminal activity with computers is very, very low. As in, arguably the recent post by Julia Evans on undocumented web APIs[1] is a tutorial on performing criminal acts.
Which is not a judgment on whether LAPSUS$ is doing genuinely bad stuff—I don’t know—only to say that, when computers are involved, “criminal” not only doesn’t make a good consensus point on avoiding a slippery slope into overall badness, it doesn’t even seem to make a good heuristic on whether something is bad or not.
Generally speaking hacking is unauthorized computer access.
More specifically hacking under US law is;
Californian law for example:
1. Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data or computer system to:
2. Execute a scheme to defraud or extort a victim.
3. Wrongfully control or obtain money, property or data.
4. Knowingly accesses and without permission takes, copies, or makes use of any data from a computer or takes or copies supporting documentation.
5. Knowingly introduces any contaminant or virus into any computer system.
6. Knowingly and without permission uses the Internet domain name or profile of another individual, corporation, or entity in connection with the sending of electronic messages that damage a computer system.
7. Knowingly and without permission disrupts or causes the denial of governmental computer services.
8. Knowingly and without permission disrupts or causes the denial of public safety infrastructure computer services.
US Federal Law:
Knowingly accessing a computer without authorization to obtain:
Financial information
Information from a governmental department or agency
Information from any protected computer with the intent to defraud
Knowingly causing the transmission of a program, information, or code from a protected computer
Knowingly accessing a protected computer and causing damage and loss to that computer
Leaking data isn't petty crime. I can believe a student with anti-corporate views could see what LAPSUS$ are doing as a good thing. Or just a student who is good at cracking and wants to show off, criminality be damned.
find a group of enthusiasts that are not quite there yet, such as an enclave of SKitties. give them superpowers, feed the hunger for recognition, silently run support operations, grease things up with cash so it feeds the illusion, in short troll them into thinking they are leet. let them be noticed, and create a fog of war.
step two
now that the show is on start actually infiltrating your hacks in position for a major attack. let your SKitties be the fall guys.
when its done cooking,it smells like state sponsored espionage.
If it's state-sponsored the number of nations is pretty limited. They attacked Brazilian government infrastructure, which rules out Russia, US, Israel and China who all maintain strong Brazilian relations.
That doesn't leave very many actors capable or willing to do this.
They also use Brazilian slang, which granted could just be disinfo to throw people off.
There are no friends in the spy game; this should have become abundantly clear after the revelations on US tapping the German chancellor as a matter of routine.
There might well be something that, say, some US interests want and Brazilian entities are not willing to share. Enter a bit of XXI century spycraft, and everyone is happy.
This said, it seems a bit too exposed to be an intelligence op, even as diversion. Even if misdirecting, it is raising alarms and improving the security posture of the affected organisations afterwards, which you typically wouldn't want as a spook. You want to put down invisible roots, to let everyone sleep soundly while you go about your business undetected.
To me this looks like an average gang with slightly above-average tech skills, drunk on their own success - with a mindset to "get rich, or die trying".
> There are no friends in the spy game; this should have become abundantly clear after the revelations on US tapping the German chancellor as a matter of routine.
Even in the late 1990s, the public learned the FVEY countries had explicit agreements to not spy on each others' governments. Anyone paying attention knew that meant that the US probably considered all non-FVEY governments fair game. Germany might feign surprise, but German counterintelligence knew there was a club, and they weren't in it.
In the early 2000s, I was contracted out to write (unclassified) network simulations for a US defense contractor. I was using a library written by a colleague contracted out to a French defense contractor. I found an apparent bug in poorly commented code (treating unexpected error codes as successes). My client instructed me that I could talk to my French colleague over the phone and verify that it really was a bug, but if the colleague asked, I couldn't tell him what the code was being used for (apart from general network simulation). Furthermore, if my colleague asked a second time what the library was being used for, I was to (1) assume he was working for French intelligence,(2) hang up immediately, and (3) report the incident to my client. My French colleague was experienced and smart enough not ask the forbidden question. I was smart enough not to ask him about the purpose for which he originally wrote the library. We both knew the rules. Nobody paying attention is surprised that even close allies routinely spy on each other.
Israeli and the US' secret services doesn't care about allies or strong relations. They do whatever they deem necessary to do their job and both have been caught red-handed multiple times.
Drain cryptocurrency accounts and use money to buy shares in companies who's financials you have access to. Sell your data to private bidders. Plenty of ways to make money without ransomware.
Using stock trading is a TERRIBLE idea, that's how you get caught. SEC doesn't play around. I doubt they are doing that, private bidders seems way more likely.
They really don’t and you’re just promoting the same mystical thinking about how the NSA / FBI / CIA is totally wiretapping us all and knows all our details.
Ask yourself the solve rate on most serious crime on the US.
While the SEC has “algorithms” to look for insider trading, it’s most relying on folks with bad OPSEC bragging and getting turned in by bitter third-parties.
Source: worked for Thesys / Thesys CAT group before our fucktard brass lost us the contract.
Sharks, cats, possums, bored rural people with shotguns, a rockslide in the wrong valley in South America (there's pretty much just one pass that all east/west SA traffic passes through). All of these are things that occasionally take out either comms, or data centres on a semi-regular basis.
