Threats against Google came from hackers making strange demands, promising to expose databases of the company if it doesn’t dismiss two of its employees from the security team. They were publicized on Telegram and directed at Austin Larsen and Charles Carmakal, prominent individuals employed at the Threat Intelligence Group of Google.
The hacking group, self-identifying “Scattered LapSus Hunters,” asserts it is the umbrella of a collective of cybercrime members from other prominent groups such as Scattered Spider, LapSus, and ShinyHunters. Its group name is seemingly a clear reference to these related orgs, insinuating a unification of once distinct hacking communities.
Threat Intelligence Group at Google
Along with requesting that Larsen and Carmakal be fired, the group has requested that Google suspend all of its Threat Intelligence Group investigations. This is a strange request and seems to suggest the hackers are feeling constrained by the work that Google is doing and are seeking to hamper the ability of the company to track and protect against their activity.
Threat Intelligence Group is at the center of Google’s security team and is responsible for seeking out, studying, and reacting to all manner of cyberattacks aimed at both Google infrastructure and its end-users. By calling for these investigations to be put on hold, the hackers are seemingly seeking to give their operations space to breathe.
Though the group hasn’t come up with real tangible evidence that they ever do access databases of Google, it brings a lot of questions of whether it is a real threat or just trying to spread or generate media attention and chaos. Without evidence of access, many cybersecurity experts take claims like these with a big dose of skepticism.
Google has announced no new breaches of security that would bolster the hackers’ assertions of accessing their internal databases. Lack of such evidence makes it hard to gauge the actual threat level of this group.
The sequence of these threats is particularly remarkable following recent security scares involving Google.
Google’s Third-Party Security Vulnerability
Last August, Google acknowledged that ShinyHunters, one of the alleged groups affiliated with Scattered LapSus Hunters, had obtained data from Salesforce, a third-party service provider that works with Google.
This earlier attack serves as evidence that these hacking groups do have a history of successful intrusions, whether not necessarily against Google’s central infrastructure.
This Salesforce attack revealed that at times, bad actors can access sensitive data via third-party vendors instead of hitting the core firm head-on.
Scattered LapSus Hunters Threaten Google: A Cybersecurity Analysis
Formation of Scattered LapSus Hunters is an unprecedented new trend when it comes to cybersecurity. Rather than being individual entities, these groups are known to collaborate or at least coordinate their actions.
This is a kind of coordination between diverse hacking communities that can perhaps imbue their actions with increased difficulty and complexity when it comes to defending against them.
Scattered Spider, LapSus, and ShinyHunters each specialize and do things their way. Scattered Spider is famous for their social engineering exploits, LapSus has been known for big-name corporate hacks, and ShinyHunters is about stealing databases and then selling them. An alliance of these teams would bring their diverse expertise and assets together.
Google has made no public statement about these very specific demands, typical of businesses facing extortion. Information security experts don’t usually advise negotiating with hackers because it can invite further break-ins and does not guarantee that threats are eliminated.
Threat Intelligence Group of the company continues its investigation of cyber threats and it is still unknown whether Google is to abide by hackers’ demands on staff reshuffles or suspension of the investigation.
As this continues on, information security researchers wait with interest to see if hackers will reveal any actual proof of their claimed access to the Google system, or if the threat proves after all largely hot air and little substance.
