A recent police investigation here in the UK has resulted in several arrests of individuals who are suspected of being members of a cybercriminal operation.

While full details were not confirmed at first, the seven young people taken into custody by law enforcement officers were aged between 16 to 21 and were associated with the hacking group known as Lapsus$

An investigation into a dedicated hacking group

In a recent statement from the City of London Police, Detective Inspector Michael O’Sullivan commented that the British law enforcement agency and its working partners had been carrying out an in-depth investigation into a specific cybercriminal group that has summarily resulted in seven arrests. The DI went on to confirms that the individuals had been arrested in direct connection with the ongoing investigation and that they had since been released while still under investigation. In its statement, the City of London Police made no formal mention of the hacking group that was the subject of its inquiry.

Reporting on the incident, the BBC stated that one of the people arrested was an Oxford teenager. Using the online aliases “Breachbase” and “White”, the 16-year-old is now accused of being an affiliate of the cybercriminal outfit Lapsus$. For over a year, the police had tracked White’s online activity. While the cybercriminal used aliases to protect themselves, after a falling out with others in the hacking scene, they were doxed. As a result, their personal details were leaked online.

Who are the Lapsus$ attack group?

In recent months, the Lapsus$ threat actor has expanded swiftly, launching attacks while stealing and disclosing source code belonging to major companies including Microsoft. While sometimes referred to as a ransomware gang in reports, the cybercriminal operation is in fact notable for never deploying ransomware for extortion attempts.

In the current environment, many threat operators favour the use of ransomware in order to encrypt data and often extort their victims for substantial sums of cryptocurrency in return for decryption keys. In many cases they threaten to publish stolen information to apply pressure. The Lapsus$ group is unusual in its goals as instead of reaping a financial reward it appears to seek notoriety instead.

Lapsus$ does not deploy malware breaching a victim’s systems, nor does it encrypt data, and it rarely makes attempts at extortion. The group focuses instead on employing a combination of social engineering and illegally obtained credentials to secure access to targets.

Despite the lack of financial objectives involved in the gang’s strategies, Lapsus$ attacks involve stealing and leaking information that can be exceptionally damaging for firms. In some reported attacks by the gangs where access was obtained to a company’s cloud environment, systems have been wiped on thousands of virtual machines.

Threat actors thrive by creating chaotic circumstances for enterprises. Whether their aim is to extort funds or steal data, the disruptive nature of such attacks can be costly for companies for many reasons. Along with funds lost by business downtime while forensic investigations are conducted, remediation measures to ensure a breach doesn’t occur again can also be expensive.