Cybercriminals Breach Samsung’s Internal Company Data

Photograph of a Samsung Galaxy Smartphone

South Korean electronics giant Samsung Electronics Co. was hit by a serious cybersecurity breach over the weekend, allowing a known cybercriminal extortion group to steal internal company data, according to Bloomberg.

The data breach led to the theft of source code belonging to Samsung’s widely-used Galaxy smartphones and tablets. The well-known and highly-active hacking group LAPSUS$ has claimed responsibility for the attack. The group posted a note and snapshots over the weekend, teasing a release of the stolen data.

190GB Torrent File Full of Stolen Data

Samsung Electronics Co. confirmed that their internal company data including Galaxy smartphone source code was compromised on Monday. According to Bloomberg, it seems that the LAPSUS$ hacking group is behind the attack. “The LAPSUS$ hackers posted a 190GB torrent file to their Telegram channel later Friday,” Bloomberg reported.

The hackers claimed that the torrent file contained “confidential Samsung source code,” which would expose the company’s “device security systems” Bloomberg wrote.

An additional concern surrounded the potential compromise of “TrustZone,” a secure processor architecture environment that Samsung’s “Knox” security platform utilizes, experts say.

TrustZone Could Have Been Compromised

“If Samsung’s keys were leaked, it could compromise the TrustZone environment on Samsung devices that stores especially sensitive data, like biometrics, some passwords and other details,” head of product and developer relations at BluBracket Casey Bisson said. “The TrustZone environment is useful because it creates a strong security barrier to attacks by Android malware.”

The leakage of Samsung’s signing keys would compromise Samsung’s ability to “securely update phones to prevent attacks on the TrustZone environment,” Bisson said.

Among the items that hackers listed they had stolen was “biometric authentication and bootloader source code” belonging to Samsung smartphones that could bypass operating system controls. The breach also included confidential data from Qualcomm, Samsung’s chip supplier.

Response from Samsung

So far, officials from Samsung said that measures to prevent further breaches have been put in place and that customers’ data was not compromised by the breach. “Currently, we do not anticipate any impact to our business or customers,” Samsung said in a statement.

Samsung did not name any specific hackers or hacking groups in any statements or press releases, nor did they say anything about any payment demands from the hackers.

Who is LAPSUS$?

LAPSUS$ hacking group is the same group that breached Nvidia Corp.’s networks in recent weeks, which leaked stolen data and threatened to release a further 1TB of stolen data including key schematics and intellectual property.

The same group also hit Portuguese media giant Impresa Group (that includes expresso and SICNoticias) with ransomware attacks in January this year.

Ransomware is Still Booming

Ransomware is a lucrative business “that is nearly impossible to protect all risk vectors,” and is not going away, CPO and head of engineering for TruU Dave Pasirstein told Threat Post Monday.

Ransomware attacks like this one also may leave organizations open to more compromise because this can provide vulnerable future pathways. “Securing the data is probably more critical or just as critical as today’s security of attempting to lock down the perimeter,” CEO of Sotero Purandar Das added.

Cybersecurity breaches like those orchestrated by LAPSUS$ and many other threat actors must be approached with a zero-trust defense strategy.

Adding to that, endpoint and email protection, employee training, strong password usage, and authentication as well as effective updates must be taken into account, particularly by highly visible organizations holding large amounts of sensitive data.

For more information on how to backup personal data on your device, check out our full guide on backing up Android data.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.