Incident: Cyber Attack on Uber's Internal Systems by Lapsus$ Hacker

Published Date: 2022-09-19

Postmortem Analysis
Timeline 1. The software failure incident at Uber Technologies happened last week [132717]. 2. Published on 2022-09-19. 3. The incident likely occurred in September 2022.
System 1. Uber Technologies Inc's internal communication system 2. Contractor's Uber account 3. Employee accounts and tools such as G-Suite and Slack [132717]
Responsible Organization 1. Hacker affiliated with the Lapsus$ hacking group [Article 132717]
Impacted Organization 1. Uber Technologies Inc - The software failure incident impacted Uber Technologies Inc as their internal communication system was brought down, and several internal systems were accessed by the hacker [132717].
Software Causes 1. The software cause of the failure incident was a cyber attack by a hacker affiliated with the Lapsus$ hacking group, who accessed several internal systems of Uber Technologies Inc [132717].
Non-software Causes 1. The hacker affiliated with the Lapsus$ hacking group gaining access to a contractor's Uber account through a two-factor login approval request [132717]. 2. The hacker accessing several employee accounts and tools such as G-Suite and Slack after logging in to the contractor's Uber account [132717].
Impacts 1. The software failure incident led to the temporary shutdown of Uber's internal communication system, restricting employees to use Salesforce-owned office messaging app Slack [132717]. 2. The attacker gained access to several internal systems, including employee accounts and tools such as G-Suite and Slack, through a contractor's Uber account, potentially compromising sensitive information [132717]. 3. The incident raised concerns about the security of user data, although Uber stated that the attacker did not access databases storing sensitive user information like credit card numbers, bank account details, or trip information [132717].
Preventions 1. Implementing stricter access controls and monitoring mechanisms to prevent unauthorized access to internal systems and tools [132717]. 2. Enhancing employee training on cybersecurity best practices, including recognizing and responding to phishing attempts to prevent unauthorized access to accounts [132717]. 3. Regularly updating and patching software systems to address vulnerabilities that could be exploited by hackers [132717].
Fixes 1. Implementing stronger authentication measures to prevent unauthorized access to contractor accounts, such as requiring additional verification steps beyond two-factor authentication [132717]. 2. Conducting a thorough review and enhancement of internal systems' security protocols to prevent future cyber attacks and unauthorized access to sensitive information [132717]. 3. Enhancing employee training on cybersecurity best practices to prevent social engineering attacks and unauthorized access to company tools and accounts [132717].
References 1. Uber Technologies Inc (UBER.N) 2. Lapsus$ hacking group 3. FBI 4. U.S. Department of Justice 5. Salesforce 6. Nvidia (NVDA.O) 7. Microsoft Corp (MSFT.O) 8. Okta Inc (OKTA.O) 9. Take-Two Interactive Software Inc

Software Taxonomy of Faults

Category Option Rationale
Recurring multiple_organization (a) The software failure incident related to Uber Technologies Inc being targeted by a hacker affiliated with the Lapsus$ hacking group is a unique incident for Uber as there is no mention of a similar incident happening before within the same organization [132717]. (b) The Lapsus$ hacking group, responsible for the cyber attack on Uber, has targeted other firms in the past including Nvidia, Microsoft Corp, and Okta Inc. This indicates that similar incidents have happened before at multiple organizations targeted by the same hacking group [132717].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the article. The incident was a cyber attack on Uber Technologies by a hacker affiliated with the Lapsus$ hacking group. The attacker accessed several internal systems by logging into a contractor's Uber account, which led to the shutdown of Uber's internal communication system temporarily. This incident highlights a failure due to contributing factors introduced by system development and procedures to operate or maintain the system [132717]. (b) The software failure incident related to the operation phase is evident in the article as well. The hacker gained access to several employee accounts and tools such as G-Suite and Slack after logging into a contractor's Uber account. This unauthorized access disrupted Uber's internal communication system, forcing employees to use the Salesforce-owned office messaging app Slack. The incident showcases a failure due to contributing factors introduced by the operation or misuse of the system [132717].
Boundary (Internal/External) within_system, outside_system (a) The software failure incident reported in Article 132717 is within_system. The failure was caused by a hacker affiliated with the Lapsus$ hacking group who accessed several internal systems of Uber Technologies, leading to the shutdown of internal communications temporarily. The attacker gained access to employee accounts and tools such as G-Suite and Slack by logging into a contractor's Uber account after manipulating a two-factor login approval request [132717].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the Uber cyber attack was primarily due to non-human actions, specifically a hacker affiliated with the Lapsus$ hacking group. The attacker accessed internal systems by logging into a contractor's Uber account after manipulating a two-factor login approval request, gaining access to employee accounts and tools like G-Suite and Slack [132717]. (b) Human actions also played a role in the software failure incident as the contractor accepted the two-factor login approval request multiple times, ultimately giving the hacker access to sensitive internal systems and tools within Uber [132717].
Dimension (Hardware/Software) software (a) The software failure incident reported in Article 132717 was not attributed to hardware issues. The incident was a cyber attack carried out by a hacker affiliated with the Lapsus$ hacking group, which led to the shutdown of Uber's internal communication systems. The attacker gained access to internal systems, employee accounts, and tools like G-Suite and Slack by exploiting a contractor's Uber account. This incident was primarily a software failure caused by the cyber attack [132717].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case was malicious. The article reports that a hacker affiliated with the Lapsus$ hacking group was responsible for the cyber attack on Uber Technologies Inc. The attacker accessed several internal systems by logging into a contractor's Uber account, giving them access to employee accounts and tools like G-Suite and Slack. Additionally, the hacker claimed to leak early gameplay footage of a highly anticipated game, "Grand Theft Auto VI," and sought to negotiate a deal with the videogaming company [132717].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident involving Uber Technologies Inc was due to poor decisions made by a contractor who accepted a two-factor login approval request multiple times, ultimately giving the hacker access to several employee accounts and tools such as G-Suite and Slack [132717].
Capability (Incompetence/Accidental) accidental (a) The software failure incident reported in Article 132717 was not attributed to development incompetence. The incident was primarily caused by a cyber attack carried out by a hacker affiliated with the Lapsus$ hacking group. The attacker gained access to internal systems by compromising a contractor's Uber account through a two-factor login approval request. This indicates that the failure was a result of a deliberate and targeted attack rather than development incompetence [132717]. (b) The software failure incident in Article 132717 was accidental. The incident was caused by a cyber attack orchestrated by a hacker affiliated with the Lapsus$ hacking group. The attacker gained unauthorized access to internal systems by exploiting a contractor's Uber account after they accepted a two-factor login approval request. This indicates that the failure was not accidental but rather a deliberate and malicious act by the hacker [132717].
Duration temporary The software failure incident reported in Article 132717 was temporary. Uber Technologies Inc experienced a cyber attack by a hacker affiliated with the Lapsus$ hacking group, which forced the ride-hailing company to shut several internal communications temporarily. The incident brought down Uber's internal communication system for a while, and employees were restricted to using the Salesforce-owned office messaging app Slack until the issue was resolved [132717].
Behaviour crash, other (a) crash: The software failure incident in the article can be categorized as a crash. The cyber attack led to the shutdown of Uber's internal communication system, forcing employees to use alternative platforms like Slack. This indicates a failure of the system to maintain its operational state and perform its intended functions [132717]. (b) omission: There is no specific mention of the software failure incident in the article being related to the omission of performing intended functions at an instance(s) [132717]. (c) timing: The incident does not relate to a timing failure where the system performs its intended functions but at incorrect times [132717]. (d) value: The software failure incident does not involve the system performing its intended functions incorrectly [132717]. (e) byzantine: The incident does not exhibit a byzantine behavior where the system behaves erroneously with inconsistent responses and interactions [132717]. (f) other: The behavior of the software failure incident in the article can be described as a security breach leading to unauthorized access to internal systems, compromising employee accounts and tools. This unauthorized access resulted in the shutdown of internal communications, indicating a disruption in the system's normal operations [132717].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure [132717] The cyber attack on Uber by the Lapsus$ hacking group did not result in the access of user accounts or sensitive information like credit card numbers. However, the attacker did manage to access internal systems, employee accounts, and tools such as G-Suite and Slack. This breach of internal systems could potentially impact the security and confidentiality of Uber's data and information, constituting a property-related consequence of the software failure incident.
Domain information, finance, entertainment (a) The failed system was intended to support the information industry as it affected Uber's internal communication systems, which are crucial for the exchange and distribution of information within the company [Article 132717]. (h) The incident also had implications for the finance industry as the hacker potentially gained access to tools such as G-Suite and Slack, which are used for manipulating and moving money for profit within the organization [Article 132717]. (m) Additionally, the hacker targeted a gaming company, Take-Two Interactive Software Inc, seeking to negotiate a deal and leaking early gameplay footage of the highly anticipated game "Grand Theft Auto VI," indicating a connection to the entertainment industry [Article 132717].

Sources

Back to List