LAPSUS$, the hacking group responsible for the recent Nvidia hack, claim to have breached tech giant Samsung to steal almost 200GB of sensitive data.
Among the 190GB trove of exposed files is source code for Samsung’s activation servers, bootloaders and biometric unlock algorithms for all recently released Samsung devices, and trusted applets for Samsung’s TrustZone environment. Confidential source code belonging to Qualcomm is also believed to be among the leaked data
Members of the LAPSUS$ hacking group have claimed responsibility for the data breach, posting details of the obtained data in a Telegram channel and telling other members to “enjoy” the contents which have been made available to download over Torrent.
According to the message, the hackers also managed to obtain “various other data”, yet the elements listed could place Samsung device users in immediate threat of being hacked or impersonated by cyber criminals.
For instance, the trusted applets (TA) source codes obtained by LAPSUS$ are installed in Samsung’s Trusted Execution Environment (TEE) known as TrustZone, meaning that the hackers – and everyone who has downloaded the Torrent files – could be able to bypass Samsung’s hardware cryptography, binary encryption, as well as access control.
The total size of the leaked data comes to about 190GB, which LAPSUS$ split into three compressed files, and more than 400 peers have already downloaded and shared the torrent.
The best defence against ransomware
How ransomware is evolving and how to defend against it
A Samsung spokesperson said that it has taken steps to bolster its security system "immediately after discovering the incident".
"According to our initial analysis, the breach involves some source code relating to the operation of Galaxy devices, but does not include the personal information of our consumers or employees. Currently, we do not anticipate any impact to our business or customers. We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption," they told IT Pro.
Qualcomm wasn't immediately available for comment, and it remains unclear whether the hacking group had any demands for Samsung before it leaked the confidential data.
News of the hack comes just weeks after researchers found “severe” security flaws in a long line of Samsung's flagship smartphones that, if exploited, would enable attackers to lift cryptographic keys.
It also comes five days after Nvidia confirmed that the LAPSUS$ hacking group had successfully breached its systems on 26 February and distributed 1TB of confidential company data, including security credentials belonging to 71,000 past and present Nvidia employees.
The hacking collective managed to obtain the data using a double extortion method of operation that involves compromising a victim and stealing data before encrypting their machine, as well as threatening to leak the stolen data if the ransom isn’t paid. Double extortion cases have been on the rise in the past year, with one in seven cases resulting in critical data being leaked.
Although LAPSUS$’ attacks come amid the escalating cyber warfare caused by the Russian invasion of Ukraine, the hacking group has maintained that it’s “not state sponsored” and that its actions aren’t politically motivated.
Carbonite and Webroot principal solutions analyst Matt Aldridge said that, similarly to "most modern cyber attacks, these gangs continue to be more inventive with the types of data and businesses they target".
"Considering the victim is a high-profile business, the hackers may have posted a message releasing Samsung’s data with a snapshot of its source code so that they can gain additional leverage for a potential ransom demand. However, since the data breach has already occurred and the data has been exfiltrated, no amount of ransom payment can guarantee that all copies of the data will be securely destroyed," he added.
