Lapsus$ group’s rampage, “protestware” and Ukraine deepfakes

The Lapsus$ ransomware group has claimed responsibility for a cybersecurity breach at NVIDIA. GBPublic_PR/Flickr

Welcome to Changelog for 3/20/22, published by Synack! I’m your host, Blake, and I’ll be attending ShmooCon this week, so I hope to see some of you there. Researchers at Google have shed more light on the tactics of a cybercrime “Initial Access Broker” with ties to the Conti ransomware gang, a prominent open source community member nuked their own code as a form of hacktivism and CISA teamed up with the FBI to warn about protecting satellite communications. Here’s the latest:


The payload

It’s all fun and games until someone leaks your source code.

The Lapsus$ ransomware group is having a bit of fun determining whose stolen source code to broadcast next, as Kim Crawley reported for README. The group ran a poll on Telegram identifying Vodafone as their next alleged victim.

Now, Lapsus$ has posted a screenshot allegedly taken from an internal Microsoft DevOps account, which, if true, would mark their highest-profile hack yet.

Members of the Portuguese-speaking hacking group seem to relish taking on targets in Big Tech, but their come-what-may attitude isn’t amusing to confirmed victims like NVIDIA and Samsung.

Mandiant senior vice president Charles Carmakal told Wired that Lapsus$ is reminiscent of old-school black hat hacking outfits like Lulzsec that wreak havoc for lolz.

But Lapsus$ is playing a more dangerous game, pairing typical data extortion with some more off-the-wall demands. Does Lapsus$ really think NVIDIA will make its IP open-source or remove cryptocurrency mining guardrails from its graphics cards? Meanwhile, the group has leaked hundreds of gigabytes of source code for Samsung products that could give other threat groups valuable ammunition for supply chain cyberattacks.

So far, Lapsus$ has taken aim at increasingly larger targets — “big game trophies,” as one expert told Crawley — with impunity. But it may be only a matter of time until the upstart ransomware crew bites off more than it can chew (Microsoft?) and sees some of its members get an unwelcome knock on the door.

The week, compiled

Facebook rushed to remove a deepfake video that falsely displayed Ukrainian President Volodymyr Zelenskyy urging his country’s troops to lay down their arms in the struggle against Russia’s invasion. The Ukrainian tabloid that published the video blamed “enemy hackers” for its appearance on the site, the Daily Dot reported. Hackers also hijacked a TV news ticker on Ukraine 24 to broadcast a similar message.

A still from a deepfake video of Ukrainian President Volodymyr Zelenskyy.

This was a crummy deepfake. Many Ukrainians took to Telegram to mock the fake Zelenskyy video’s poor quality and glitchy editing. Ukrainian authorities, including Zelenskyy himself, quickly debunked the disinformation campaign. The deepfake appeared to have little impact on Ukrainian fighters as Russia’s invasion stretched into its fourth week.

Still, every bit of distortion, no matter how cheesy, can make a difference in the fast-moving information environment that’s accompanied the war in Ukraine. And as deepfakes become easier to produce, everyone should expect the next video to be more convincing.

Here’s a recap of the week:

Vice: A member of the open source community sabotaged their own code to protest Russia and Belarus, replacing some versions of the widely used “node-ipc” npm software package with malicious code that overwrote files with a heart emoji. Open source maintainer RIAEvangelist drew pushback for the move, which they characterized as a form of “nonviolent protest against Russia’s aggression that threatens the world right now.”

CyberScoop: A botnet thought to be run by the formidable Russian state-sponsored hacking group Sandworm has turned up in ASUS hardware, according to Trend Micro research. The “Cyclops Blink” malware is focused on spreading itself to new routers and devices at the moment, but it could be laying the groundwork for future mayhem.

Reuters: President Biden has signed legislation that blocks former U.S. spies from working for foreign governments within 30 months of retiring. “We don’t want our best trained intel officers going straight into the hands of foreign governments for the sake of money,” said bill sponsor Rep. Joaquin Castro (D-Texas).

There are just four days left to get on the list for our party and networking event at the Jack Rose Dining Saloon in D.C.! Join me and several cybersecurity trailblazers paving the way for a more diverse and inclusive infosec community. Find free tickets here.

Politico Pro: The Transportation Security Administration’s pipeline cybersecurity requirements are facing headwinds as the agency’s thin roster of cybersecurity specialists makes it difficult to follow through with enough oversight and enforcement.

Wired: The FIDO Alliance industry group released a white paper laying out its high-level vision for a passwordless future. While one expert cheered a “giant leap forward” technologically, don’t expect passwords to go away anytime soon: It’s doubtful even a new-and-improved “FIDO credential” manager will immediately uproot one of the most enduring infosec features.

The New York Times: “Cyberwar” has arrived in Ukraine, but you’d be forgiven for not really noticing. Johns Hopkins University professor Thomas Rid unpacked why he thinks the tactical effects of cyberattacks are fundamentally limited compared to bombs and missiles.

A message from Synack 

Does your penetration testing meet compliance requirements? Synack recently announced it received Moderate “In Process” status from FedRAMP, meaning even more US departments, agencies and contractors can utilize its global network of elite ethical hackers for on-demand, around-the-clock pentesting. Find out more here.

Flash memory

Internet Explorer, we hardly knew ye!

Launched in 1995, the web browser is finally set to retire on June 15 this year, as Microsoft reminded customers in an alert Wednesday. The notoriously buggy browser has caused decades of infosec headaches, and its looming demise is bound to be cheered on by cybersecurity professionals.

Christiaan Colen/Flickr

Still, I can’t help but feel a tinge of nostalgia for the first browser I ever used. Farewell, Internet Explorer! And good luck to Microsoft with getting all those users to switch to Edge.

Local files

Der Spiegel: German intelligence authorities warned against using Kaspersky antivirus products five years after the U.S. government reached a similar conclusion. The Federal Office for Information Security (BSI) envisioned a scenario wherein the Russian government forced Kaspersky to abuse its products to spy on customers.

The New Zealand Parliament: Lawmakers on New Zealand’s Intelligence and Security Committee issued a bite-sized review of the country’s intelligence service. Clocking in at a whopping 100 words, the annual report simply “recommends that the House take note of this report.” A win for transparency!


I’m cautiously optimistic that the U.S. can finally do away with the exhausting rituals of “spring forward” and “fall back” after the Senate last week passed legislation to make daylight saving time permanent.

The measure has a long way to go before becoming law, and any changes wouldn’t take effect until 2023 at the earliest.

Still, the headway in Congress gives me hope that the current system can be retired, even if the Senate’s passage was a stunning anomaly, as Buzzfeed reported. Any Senator could have jumped in to block the measure — and some reportedly do oppose making daylight saving time permanent — but no one present in the chamber Tuesday afternoon intervened. Maybe they forgot to set their clocks last Sunday.

NoPotSer/via Giphy

That’s it for this week! Please send tips, feedback and ShmooCon afterparty invites to