Uber launches infosec hiring spree after attributing breach to LAPSUS$

Uber and Rockstar Games logos appearing side by side
(Image credit: Getty Images)

Uber has embarked on a hiring spree for security personnel in the wake of its data breach last week and has also revealed new details about who was behind the attack.

On Friday last week, several open positions appeared on LinkedIn just one day after the ride-hailing tech giant confirmed the breach to the public.

Roles that are still open for applications include senior security incident commander to lead incident response, security engineer and security engineering manager at the company's threat detection division, and senior security engineers across applications security, enterprise security, and investigations.

The positions opened for applicants the day after the attack was confirmed and shows Uber’s commitment to tightening its security following the breach.

In an update to customers on Monday, Uber also confirmed several other details about who was behind the attack and how the cyber criminals were able to successfully breach the company.

Uber attributed the attack to the LAPSUS$ hacking group which came to prominence in early 2022, claiming successful attacks on major companies such as Microsoft, Okta, Nvidia, Samsung, and T-Mobile.

The group has been described as both “competent and incompetent at the same time” by experts and is believed to be run by young cyber criminals in Portugal, Brazil, and the UK whose ages range between 16 and 21.

Unlike many emerging cyber criminal organisations, LAPSUS$ does not operate on a ransomware model and in the case of the Uber hack, the company said the group managed to gain access to a contractor’s account by spamming multi-factor authentication (MFA) prompts.

Uber believed the contractor’s device had been infected with malware, allowing hackers to steal credentials and sell them to LAPSUS$ on the dark web.

From there, the attackers repeatedly tried to gain access to the contractor’s account using the stolen credentials, and the repeated attempts would have delivered a frustrating number of prompts to the contractor’s phone.

The contractor eventually accepted one of the prompts allowing the attackers full access to their account.

This is a known attack method in the industry and relies on sending so many prompts that the target becomes annoyed with all the notifications and accepts one to make them stop.

LAPSUS$ is also known for having deployed such tactics in the past, saying they prefer to carry them out while the target sleeps to maximise effectiveness.

“From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G Suite and Slack,” said Uber.

“The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.”

Uber said the attackers were able to access and download Slack messages - the content of which was not specified - and download data from its finance team’s invoice management tool.


Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space


LAPSUS$ also accessed Uber’s HackerOne dashboard. HackerOne is a security bug and vulnerability reporting platform, though the only reports available to the hackers were regarding vulnerabilities that had already been remediated, Uber said.

The company confirmed nothing else was affected, including its code base or any of its public-facing apps or technologies.

Uber also confirmed that LAPSUS$ was unable to access any customer data stored by its cloud providers, including AWS’ S3.

“We’re working with several leading digital forensics firms as part of the investigation,” said Uber, which also said the investigation is still ongoing.

“We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks.”

Uber also revealed that it believed LAPSUS$ was the hacking group behind the recent breach of Rockstar Games - the developers of popular video game franchises such as Grand Theft Auto and Red Dead Redemption.

The studio announced over the weekend that it had fallen victim to a significant data breach which involved the leaking of footage from the company's pre-alpha version of the upcoming Grand Theft Auto VI game.

“We recently suffered a network intrusion in which an unauthorised third party illegally accessed and downloaded confidential information from our systems, including early development footage for the next Grand Theft Auto [game],” said Rockstar Games.

Uber said it is working with the FBI and US Justice Department to investigate the incident further. It’s unclear if the authorities are also investigating the incident at Rockstar Games, too.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.