Samsung today confirmed a breach of its systems, reportedly the work of hacking gang Lapsus$, which saw 190GB of the South Korean electronics company’s data, including source code for its Galaxy devices, leaked online. The attack came days after Lapsus$ breached another Big Tech business, chipmaker Nvidia. While both incidents appear to have been mercenary in nature, security researchers believe the gang could be pursuing another agenda too.
Lapsus$ released the Samsung data onto its website, as well as posting it on messaging platform Telegram.
Today Samsung confirmed the breach was genuine and said that though source code has been seized by the hackers, no personally identifiable information from employees or customers had been accessed.
“We were recently made aware that there was a security breach relating to certain internal company data. Immediately after discovering the incident, we strengthened our security system,” a Samsung spokesman said.
“According to our initial analysis, the breach involves some source codes relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees. Currently, we do not anticipate any impact to our business or customers. We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption.”
#NEWS! Critical statement from the #LAPSUS #Hacker group. The group that #hacked #NVIDIA before, announced that it hacked #Samsung (@SamsungMobile) this time.
— IntelStrike (@IntelStrike) March 5, 2022
News by @IntelStrike pic.twitter.com/PPXiLwFtUd
The information posted online included source code for every trusted applet installed in Samsung’s TrustZone environment, which is used for sensitive operations such as hardware cryptography, binary encryption, and access control, algorithms for all biometric unlock operations and what appears to be confidential source code from US semiconductor company Qualcomm.
The attack occurred just a day after Lapsus$ breached Nvidia’s defences in an incident where the group claims to have lifted a terabyte of data, including specifications for some of Nvidia’s hardware. Subsequently, Lapsus$ leaked 20GB of this data, including the credentials of 71,000 Nvidia employees. The company says it is “investigating a cybersecurity incident which impacted IT resources.”
Who are Lapsus$?
Thought to be based in Brazil, Lapsus$ has been on the radar of security researchers since 2020, but gained notoriety last year when it took credit for targeting Brazil’s health ministry, says Xue Yin Peh, senior cyber threat intelligence analyst at security business Digital Shadows. “In that attack, the group claimed to have exfiltrated 50TB of data and erased the information from the official databases,” Peh says. “Subsequent Lapsus$-claimed attacks seemingly targeted other Brazilian organisations or Portuguese-speaking companies, such as Impresa, Claro, Embratel, NET, and Localiza.”
These attacks may have emboldened the group to go after larger international targets. “The recent attacks against Nvidia and Samsung suggest an expansion of their targeting scope and interests, likely emboldened by the success of previous operations,” Peh adds.
Previous attacks have seen Lapsus$ demand ransom from its victims, and the group reportedly asked for money from Nvidia before leaking its employee information, though Nvidia has yet to confirm this. Samsung has also remained tight-lipped on whether any ransom demand has been issued, or paid.
The consequences of the Samsung data breach
While Samsung has said that customers will not be affected by the breach, the company’s security secrets may now be up for grabs for its rivals, says Jon Andrews, vice president for EMEA at risk intelligence platform Gurucul. “Samsung’s competitors will have access to company data that will allow them to close any competitive advantage the software giant might have had over them,” Andrews says.
The fact that Lapsus$ has obtained source code could also be an indicator that Samsung and its partners may have more issues to come, says Felix Rosbach, product manager at data security company comforte. “Getting access to source code may be a pure coincidence but could also be a targeted operation to increase impact, steal intellectual property or to start a supply chain attack,” he says.
Is Lapsus$ targeting Big Tech?
Peh believes Lapsus$ is targeting big tech companies like Samsung and Nvidia because they offer the best chance of a large pay-out. “Although the group’s methods show some divergence, these types of threat actors are ultimately after a financial payout,” Peh says. “This is likely the case for Lapsus$ – the group left contact details on victims’ systems, likely to establish communication for negotiation over ransom payment.”
Andrews says the group’s motivations may extend beyond mere extortion. “Lapsus$ has said in the past their actions aren’t politically motivated,” he says. “But the fact that they don’t just simply encrypt their victim’s data and demand a ransom indicates that they are not just after a quick profit. Rather, it appears they have some sort of agenda, whatever that might be.”
Jason Steer, global CISO at threat intelligence company Recorded Future, believes the timing of the data being leaked, coinciding with the Mobile World Congress (MWC) trade show in Barcelona, may not have been a coincidence. With MWC being a “huge event” for Samsung, Steer says releasing the data on the conference’s final day may have been “deliberate, to cause maximum effect.”