In This Article:
A day after Microsoft (MSFT) confirmed it was hacked by the cybercrime group Lapsus$, Nvidia (NVDA) CEO Jensen Huang called his own company’s experience with the hackers a “wake-up call.”
In an interview during Nvidia’s GTC Conference, which runs from March 21 to March 24, the CEO said the late February hack proved the company needs to move to a “zero trust” security posture and that it has the technology to do it. "Zero trust" means Nvidia will treat all employees as a potential security threat.
“It was a wake-up call for us,” Huang told Yahoo Finance. “Fortunately, we didn't lose any customer information and any sensitive information. They got access to source code, which of course we don't like, but nothing that is harmful to us.”
Lapsus$’s has also hacked Samsung, Microsoft, and Okta in recent weeks. In the past, the organization has taken over user accounts at crypto exchanges and drained their funds. Hackers like Lapsus$ have taken advantage of remote work throughout the pandemic, which made businesses more vulnerable to hacks.
Lapsus$ isn’t a traditional ransomware organization. Rather than limiting access to victims' computers, this group extorts its victims by gaining access to their data and threatening to leak it online if they don’t pay up, according to Microsoft’s Threat Intelligence Center.
In Nvidia’s case, Lapsus$ gained access to source code and ordered it to remove limitations on its graphic cards that make them less useful to cryptominers, according to The Verge. It also wanted the company to make its graphics cards drivers open source, which would have revealed its proprietary information. If not, the group said it would leak Nvidia’s proprietary data on its own.
According to Microsoft, Lapsus$ gains access to victims’ systems using social engineering techniques. Essentially, the group tricks its victims into giving up their usernames and passwords, which the criminals then use to root around in an organization’s files.
While it’s unclear how Lapsus$ gained access to Nvidia’s servers, Huang stressed that most cybersecurity threats come from within an organization. Often that comes in the form of an employee’s credentials, their username and password, being stolen or otherwise compromised.
“The fact of the matter is the intrusion tends to be internal. It tends to be somebody wandering around your hallway, somebody who has access to a fair amount of privileges,” Huang explained. “And so we need to be what is called a zero trust architecture company, and we're accelerating our path to do that.”