Lapus$ Extortionists Leak 190GB of Samsung Data After Massive Cyberattack

by | March 10, 2022 | Cybersecurity News

The Lapus$ cybercriminal group recently leaked a massive confidential data trove that they claim to have exfiltrated from tech giant Samsung Electronics.

The data leak comes on the heels of another hit that resulted in a 1TB data collection stolen from Nvidia, out of which the extortionists published online a 20GB archive.

Extortionists Tease Huge Samsung Data Leak

The hacker group posted a note in which they teased about leaking the South Korean giant’s data, along with a screenshot of C/C++ directives.

Samsung data leak tease from Lapus$.
Source: Bleeping Computer

Soon after teasing about the upcoming data leak, Lapus$ also provided a description and what it will contain.

  • source code for every Trusted Applet (TA) installed in Samsung’s TrustZone environment used for sensitive operations (e.g. hardware cryptography, binary encryption, access control)
  • algorithms for all biometric unlock operations
  • bootloader source code for all recent devices
  • confidential source code from Qualcomm
  • source code for Samsung’s activation servers
  • full source code for technology used for authorizing and authenticating accounts, including APIs and services

If the cybercriminals are not bluffing and the data really is what they claim it is, then the well-known tech giant is in big trouble and could suffer massive damage.

The group split the data into three archives worth 190GB and made them available for download in an apparently popular torrent – more than 400 peers sharing the content. Lapus$ also promised to deploy more servers in order to increase the download speed.

Source: Bleeping Computer

The extortion gang also included in the torrent a brief description of the content available in each of the three compressed files:

  • Part 1 contains a dump of source code and related data about Security/Defense/Knox/Bootloader/TrustedApps and various other items
  • Part 2 contains a dump of source code and related data about device security and encryption
  • Part 3 contains various repositories from Samsung Github: mobile defense engineering, Samsung account backend, Samsung pass backend/frontend, and SES (Bixby, Smartthings, store)

It is still unknown whether or not the threat actors behind the attack contacted the company to solicit a ransom, as they claim to have had done in the Nvidia attack.

Lapsus$ Going For High-Profile Targets

Last month, the ransomware group attacked Nvidia and exposed 71,000 employee accounts.

Just a few hours into 2022, one of their attacks crippled the media giant Impresa, owner of the most prominent television station and newspaper in Portugal.

The Lapsus$ ransomware gang made it obvious they were behind the attack by defacing all of Impresa’s websites with a ransom note to let the company know that they had gained access to Impresa’s Amazon Web Services account. Lapsus$ identified itself as responsible for the ransomware attack by tweeting from one of Impresa’s verified Twitter accounts.

The Lapsus$ gang was first spotted in 2021, and its most noticeable attack was targeted at the Brazil Ministry of Health in December. Following the incident, several online entities were taken down, information on citizens’ COVID-19 vaccination data was wiped out, and the system that issues digital vaccination certificates was disrupted as well.



by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.