Gaming Chipmaker Nvidia confirmed a data leak after a suspected ransomware attack hit the company on February 23, 2022. The hacking group Lapsus$ took responsibility for the attack and leaked 20GB of data, giving Nvidia until March 4 to pay the ransom.
Lapsus$ claims it stole about 1 terabyte of Nvidia’s “most closely-guarded secrets” and would publish the data should the chipmaker refuse to comply with its demands.
Nvidia admits that the February data leak exposed sensitive proprietary information
The Santa Clara, California-based company acknowledged the attack adding that it hardened its network, engaged cyber security incident response experts, and notified law enforcement agents. The gaming giant said it was investigating the incident but did not expect business impacts.
“Our team is working to analyze that information. We do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident,” Nvidia said.
However, the company admitted that the threat actor exfiltrated employee credentials and some “Nvidia proprietary information and began leaking it online.” Nvidia has forced a password reset for all employees after the data leak.
Similarly, the data leak monitoring website Have I Been Pwned (HIBP) reported that hackers stole credentials of Nvidia’s 71,000 employees and password hashes of their windows accounts. These details have since been cracked and shared on various hacking forums, according to HIBP.
The data leak also exposed information about yet-to-be-announced processors, SDKs, and GPU source code, according to the hackers’ now suspended Telegram channel.
Lapsus$ hacking group makes strange demands after the Nvidia data leak
Lapsus$ ransomware gang threatened to publish 1 Terabyte of stolen Nvidia data by March 4, 2022, in five phases if the company does not pay an unspecified ransom.
Additionally, they demanded the removal of the Lite Hash Rate (LHR) that reduces the crypto mining performance in Nvidia’s RTX 30-series graphics cards. This limitation prevents crypto miners from depleting all GPU stocks and denying gamers an opportunity to purchase the latest graphic processors.
Lapsus$ also demanded that the chipmaker release the source code for its GPU drivers under an open-source license.
“We decided to help [the] mining and gaming community, we want Nvidia to push an update for all 30 series firmware that remove every LHR limitation otherwise we will leak [the] hw (hardware) folder,” Lapsus$ posted on Telegram. “If they remove the LHR we will forget about [the] hw folder… We both know LHR impact mining and gaming.”
Was the suspected Nvidia ransomware attack related to the Russia-Ukraine conflict?
Some speculated that the Nvidia suspected ransomware attack was related to the Russia-Ukraine conflict.
However, the Lapsus$ ransomware group denied being sponsored or involved in politics. Similarly, the Nvidia investigation team said it had no evidence of ransomware being deployed in relation to the Russia-Ukraine conflict, suggesting the data leak was not the result of a state-sponsored ransomware attack.
The company refused to disclose the group responsible for the attack that reportedly caused outages in its email systems and developer tools.
However, a source told Bloomberg that the apparent ransomware attack also disrupted the company’s internal systems.
“This is typical of ransomware gangs nowadays where they can still cause brand damage and steal IP without actually deploying the final ransomware payloads,” Dr. Saumitra Das, CTO and Co-Founder at Blue Hexagon, said. “Double and triple extortion are all part of the current playbook for these attackers. In this case, it appears that the group claims to have been able to steal IP without encrypting data.”
“There is always a tradeoff for the attackers between encrypting data and stealing data because encryption and deletion can trigger alarms at organizations with mature security programs and take away the leverage from the attackers.”
Nvidia allegedly hacks Lapsus$ and deploys ransomware
Lapsus$ hacking group accused Nvidia of launching a retaliatory ransomware attack and attempting to delete the stolen data.
“EVERYONE!!! NVIDIA ARE CRIMINALS!!!!!!!!! SOME DAYS AGO A ATTACK AGAINST NVIDIA AND STOLE 1TB OF CONFIDENTIAL DATA!!!!!! (sic). TODAY WOKE UP AND FOUND NVIDIA SCUM HAD ATTACKED **THE** MACHINE WITH RANSOMWARE,” Lapsus$ posted on Telegram, according to Brett Callow, a threat analyst at Emsisoft.
They explained that Nvidia infiltrated their virtual machine because the Nvidia employee VPN they leveraged is required to be connected to the mobile device management (MDM) software. The group insisted that the retaliatory ransomware attack was not from a rival gang.
“Yes they successfully encrypted the data,” Lapsus$ posted on Telegram. “However, we have a backup and it’s safe from scum!!!”
Believed to be located in South America, the Lapsus$ ransomware gang gained popularity after the Brazilian Ministry of Health attack on Dec 10, 2021. The group successfully deleted 50 terabytes of data, including millions of COVID-19 records, leaving the compromised government systems unavailable. Lapsus$ also knocked offline Portugal’s largest media conglomerate Impresa in Dec 2021.
Gary Ogasawara, CTO of Cloudian, said the current defense against ransomware attacks revolves around ineffective methods.
“Ransomware attacks are continuing to infiltrate organizations and cause significant disruption,” Ogasawara said. “Unfortunately, when it comes to protecting against these types of attacks, much of the discussion has centered on perimeter security and other traditional defenses that have clearly fallen short.”