Uber believes a hacker linked to the notorious Lapsus$ gang was behind a major breach of its systems last week. The company revealed the offender gained access to its system by stealing a contractor’s credentials, and said the same offender may be behind a breach of systems at Rockstar Games, which saw details of its upcoming title Grand Theft Auto VI leaked online.
Last week’s Uber hack saw an attacker gain access to a wide range of the company’s systems, before taunting staff on the company’s internal Slack channels. In a security update released yesterday, the ride-hailing giant revealed details of the breach and the steps it has taken to mitigate damage.
How the Uber cyberattack happened
It is thought a contractor working for Uber had their credentials stolen and used by the hacker. “It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web after the contractor’s personal device had been infected with malware, exposing those credentials,” Uber said. “The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.”
This enabled the criminal to access several other employee accounts which “ultimately gave the attacker elevated permissions to a number of tools”. These included G-Suite and Slack.
Uber says its investigation has not yet turned up any evidence that the attacker was able to access databases containing customer data, and that it does not think the hacker made any changes to its codebase. However, they may have downloaded information from an internal system used by the company’s finance team to process invoices.
Meanwhile, the offender also gained control of the company’s HackerOne security console, where bugs and vulnerabilities are logged. Uber says any problems exposed in the breach have been remediated.
Who was behind the Uber cyberattack?
An investigation into the incident is ongoing, and Uber said “we believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$”.
As reported by Tech Monitor, Lapsus$ went on a high-profile hacking spree earlier this year, targeting the likes of Microsoft, Samsung and digital identity provider Okta. Reports at the time suggested the group’s mastermind was a 16-year-old boy, and in March, UK police arrested seven teenagers purported to have links to the gang.
The group has also been linked to a hack on software developer Rockstar Games this weekend, which saw videos of the development of hotly anticipated game Grand Theft Auto VI, as well as source code purporting to be from GTA V, leaked online.
“We recently suffered a network intrusion in which an unauthorised third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto,” Rockstar said in a statement. “At this time, we do not anticipate any disruption to our live game services nor any long-term effect on the development of our ongoing projects.”
Uber’s security update noted: “We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts.”