Samsung Admits Hackers Stole Source Code

Hacking group Lapsus$ has gained another high profile scalp, after Samsung confirmed it has suffered a security breach.

According to Bleeping Computer, the hacking group posted a 190 GB dump of data mined from Samsung Electronics, which is said to include company data and even some source code of its Galaxy devices, which of course includes the Galaxy smartphone portfolio.

It comes after Lapsus$ last week hacked GPU powerhouse Nvidia. The hackers then released a 20GB document archive of 1TB of data stolen from the GPU designer.

Samsung hack

It has done the same with Samsung, after it published 190GB data dumps, which included source code for every Trusted Applet (TA) installed in Samsung’s TrustZone environment used for sensitive operations.

According to Bleeping Computer, the data also includes algorithms for all biometric unlock operations; bootloader source code for all recent Samsung devices; confidential source code from Qualcomm; source code for Samsung’s activation servers; and full source code for technology used for authorizing and authenticating Samsung accounts, including APIs and services.

If this is accurate, it could prove to be a hugely damaging hack of the South Korean electronics giant.

Samsung confirmed the security breach in a statement published by Sam Mobile and other media outlets.

“We were recently made aware that there was a security breach relating to certain internal company data. Immediately after discovering the incident, we strengthened our security system,” Samsung reportedly said.

“According to our initial analysis, the breach involves some source codes relating to the operation of Galaxy devices but does not include the personal information of our consumers or employees.”

“Currently, we do not anticipate any impact to our business or customers,” it said. “We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption.”

So the good news is that Samsung customer data does not seem to have been impacted, but the leaked source code data some provide insight into how Samsung operates and secures its devices.

No ransom

One security expert noted that Lapsus$, which is thought to be a Brazil-based ransomware gang, did not bother to ask for a ransom in this case.

“Data breaches like this often have a price tag attached but these bad actors have just gone straight to releasing the data without a ransom note, leaving the targeted victims scrambling around trying to reduce the impact where possible,” noted Jake Moore, global cyber security advisor at ESET.

“Without any word from Samsung, the full scale of the attack will remain unknown but there is the potential that this data leak could leave millions of devices at risk and exposed until Samsung are able to patch remotely,” said Moore.

Source code

Another expert addressed the fact that source code has been leaked, which could prove to be very damaging for Samsung.

“Lapsus$ has struck again, targeting Samsung less than a week after leaking sensitive data stolen from Nvidia,” said Jack Chapman, VP of Threat Intelligence at Egress. “It’s concerning for an organisation to have any data stolen by cybercriminals – but it will be the potential leak of confidential source code that’s keeping Samsung’s executives awake at night.”

“The exposure of such highly confidential, strategic information could be devastating for Samsung and their security teams will be working to ascertain exactly what data was stolen – and whether there might be further leaks to come,” said Chapman.

“This attack, following the one on Nvidia, further confirms that Lapsus$ is a force to be reckoned with – and that organisations must not ignore the threat of extortion gangs,” said Chapman. “As this incident shows, hackers can access even the largest conglomerates, which are likely to have robust security protections in place. In the current environment of heightened security risk, it’s imperative that organisations of all sizes heed the NCSC’s advice and prioritise cybersecurity preparedness.”

Further attacks

Another expert also agreed about the damaging nature of the source code leak, and warned it could results in further cyberattacks in the future.

“Stolen source code is a scary prospect for organisations, and unfortunately, it opens the door for potential further cyberattacks on the business and its customers,” sad Sam Linford, AVP EMEA Channels at Deep Instinct.

“The Lapsus$ data extortion group stole 190GB of data which apparently contains ‘confidential Samsung source code’, including code relating to the operation of Galaxy devices, algorithms for all biometric unlock operations, and technology used for authorising and authenticating Samsung accounts,” said Linford.

“Threat actors who gain access to source code may be able to find the security vulnerabilities within the organisation’s product,” said Linford. “This means that cyber criminals are then able exploit weaknesses within the network which are unknown to the organisation.”

“Although Lapsus$ teased their followers about the leak, the group is yet to release all the data,” said Linford. “It is not uncommon for stolen data to be bought and sold by cyber criminals on the dark web.”

“Once multiple threat actors have their hands on an organisation’s security details and weaknesses, then unfortunately, they are more likely to be targeted,” said Linford. “Only one cyberattack has to be successful in order to cause significant and irreversible damage to an organisation, therefore businesses must ensure that they have a cybersecurity solution which can stop the possibility of source code being stolen.”

“Endpoint detection and response (EDR) is no longer enough, with the solution needing malware to execute before it can be picked up as malicious,” Linford concluded. “With some of the fastest ransomware now encrypting within 15 seconds of being executed, organisations need to look towards prevention-first solutions. ”

Linford said that technologies, such as deep learning – a subset of AI, are able to stop malware before data can be stolen.

“Deep learning delivers a sub-20 millisecond response time to stopping a cyberattack before it can execute and take hold of an organisation’s network,” said Linford. “If organisations were to implement solutions, such as deep learning, users on the dark web will be seeing less and less ‘bargain deals’ for an organisation’s sensitive data.”

Phone exploits?

Another security expert said the source code leak, besides being useful for criminals, could also be exploited by law enforcement and its security suppliers, to help them access people’s mobile devices in the future.

“Some specific parts of the code that have been leaked are key security components for Samsung devices, this could make cracking and breaking into phones easier,” said Chris Vaughan, Area VP of Technical Account Management for EMEA at Tanium.

“I expect attackers to test if biometric security controls such as fingerprint and face ID can be bypassed,” said Vaughan. “This could even be leveraged by law enforcement and could be a privacy concern for Samsung users. We have seen several issues in the past with breaking into phones being challenged, most notably the FBI Apple Encryption Dispute.”

“In theory, this breach could make it easier for malware to be written to exploit phones remotely, and since Samsung is widely used the attack surface could be large and lucrative for cybercriminals,” said Vaughan.

“The potential consequences of this breach again highlights the importance of cybersecurity for all organisations,” said Vaughan. “Protecting any organisation from the impact of a cyberattack comes down to ensuring that there is visibility across the IT estate to identify any problems and to have the control in place so that any issues can be fixed at speed. In the aftermath of an attack, it is important to immediately start the process of damage control, to mitigate the impact as much as possible – and having appropriate back-up and disaster recovery solutions in place is crucial to doing so.”

Encrypt data

Meanwhile Shane Curran, CEO at encryption firm, Evervault noted that with attacks like this ongoing, businesses need to guarantee that any stored customer data is fully encrypted.

“Ransomware is one of the most significant dangers to businesses worldwide,” said Curran. “Businesses must guarantee that data, whether it is credit card information, passwords, or health information etc, is encrypted to avoid becoming an easy target for cybercriminals.”

“Strong encryption, when properly applied, is a business asset and a tool in the arsenal of successful companies,” said Curran.

“The widespread adoption of strong encryption will reduce the ongoing incentive for businesses to pay ransoms, a harmful tendency that promotes the global expansion of cybercriminal operations,” Curran concluded.