Major cybersecurity news in the United States in August included the leak of 2.7 billion social security numbers, a record similar to CPF. The cybercrime group that claimed responsibility for the attack USDODis also known for hacking many companies around the world. Now, an investigation points to the possible leader of the group: he his name is Luan and he will be Brazilian.
A detailed report from CrowdStrike TecMundo The likely leader of the USDoD group is revealed to be a 33-year-old man named Luan BG, who lives in Minas Gerais, Brazil.
All information about the cybercriminal has already been handed over to the authorities. Among them, it was possible to identify tax registration, email addresses, registered domain names, IP addresses, social media accounts, phone number and city. More precise information has not been released TecMundo To prevent the attacker’s identity from being completely revealed.
“Disclosing the identities of individuals in an intelligence report carries risks. Despite their involvement in malicious cyber activity, some aspects of their private lives (family members, personal photos, and other personal information) deserve to be preserved as long as they are not relevant to the investigation,” CrowdStrike notes.
USDoD cybercriminal
The USDoD group has emerged in recent months with allegations of attacks against different companies and institutions.
The group, which uses the cybercrime forum Breach Forums, is known for exfiltrating databases and information from employees and customers of companies including Airbus airline, the U.S. Environmental Protection Agency, the FBI’s InfraGard program, the scrapping LinkedIn and security rating agency TransUnion credit.
The group also said it had access to data on North American military equipment companies Lockheed Martin and Raytheon.
The most recent and most publicized attack involved the US company Jericho Inc (National Data Public). The incident resulted in the theft of 2.9 billion records.
The package of information, which contained a total of 277 GB of data, was offered for sale for $3.5 million, equivalent to R$19.7 million at the exchange rate at the time. It included the full names of the people entered into the platform, their address history going back at least three decades, and details of their parents, siblings and other relatives.
USDoD also floated the idea that it had attacked CrowdStrike and leaked confidential data; in fact, information had already been collected that had been communicated to the public and the company’s customers.
The attacks, carried out by the cybercrime group USDoD, are rumored to use malware known as ransomware — in this case, ransomware from another prolific group, RansomMed.
The leader has been determined
CrowdStrike’s research points to a long history of hacktivism by USDoD leader Luan BG, starting in 2017 and possibly continuing into 2022, when he began more sophisticated cybercrime operations.
A quick clarification is needed here: Hackactivism does not necessarily mean that crime is involved. It can include maintaining social media accounts that feature political manifestos, for example.
In this case, what established the connection between hackactivism and Luan’s cybercrime was the actor’s use of the same descriptions on his social media profiles.
“CrowdStrike Intelligence has been tracking USDoD since late 2022, when the actor first claimed to have accessed data from the US public-private intelligence-sharing partnership. Since then, CrowdStrike Intelligence has reported on USDoD activity 12 more times,” the company notes.
The identification path yielded data that scaled the leader’s identity:
- Luan uses only one email (“luanbgs22@”) to create accounts on different forums between 2017 and 2022
- Same email used to edit GitHub pages with open-source hacking tools
- Same email registered domains to promote cyber attack tool projects
- The same email was associated with several of Luan’s personal accounts
- Since 2017, the same email has registered the name “NatSec” on Medium to create a post about malware
- Thanks to emails and posts on Medium, it was possible to reach Luan’s Instagram account, where he stated “I Protect the Hive. When the system is unstable, I fix it”
- The same statement and email were linked to the Twitter account @equationcorp
In different posts on forums and social networks, Luan BG was associated with different aliases used in addition to “NatSec”: NetSec, LLTV, LBG91 and Labs22.
CrowdStrike notes that Luan BG’s lack of technical knowledge of hackactivism at the start of his work made identification easier, particularly in terms of collecting profile photos and emails.
The arrogance of cybercrime
Arrogance is a common trait among cybercriminals who attack large companies. In 2021-2022, another group became known in the world: Lapsus.
Lapsus obtained sensitive data from companies and institutions such as Samsung, Claro, Ministry of Health, Rockstar, NVIDIA, JBS and many more. The criminal approach ranged from gaining privileged access to systems to blackmailing to avoid disclosing what was accessed.
It wasn’t too difficult: I interviewed the leader of Lapsus in January 2022. The arrogance of his actions is revealed in the article “Cybercrime and the spectacle of recognition: Interview with Lapsus.”
The USDoD did not do otherwise. The leader of the cybercrime group gave an interview to the website DataBreaches.net in 2023, which also helped identify him.
In the interview, USDoD claims that he is around 30 years old and has dual citizenship: Brazilian and Portuguese. Moreover, his current residence would be Spain.
“The USDoD alleges that this began after he joined a Brazilian gaming community in 1999,” DataBreachs writes. “He was 11 at the time and says he was able to use his social skills to take down a pedophile. He also claims that a moderator from that community, who was also the developer of the r3x software, took him under his wing and encouraged and helped him develop his skills. He also says he was very influenced by Kevin Mitnick.”
Brazilian platform Vydar’s blog also drew attention to USDoD’s nationality following an investigation in July of this year.
CrowdStrike noted in its report on Luan BG that despite claiming Brazilian citizenship, the USDoD always stated that he lived in different European countries. Yet, realizing that he would likely have given away too much information, in 2023 he declared on X (formerly Twitter) that “all of my public information is false” and that he actually has North American citizenship.
Not only emails and accounts on leak and scan forums, but Luan BG’s online activities were also tracked due to his IP address.
In July 2024, cybercrime forum BreachForums was subject to a leak, even exposing the IP addresses of its users. With this material in hand, CrowdStrike discovered that Luan was sending messages from dynamic IPv4 addresses and several IPv6 addresses belonging to a Brazilian ISP with GeoIP in the city of Minas Gerais.
“According to sensitive sources at CrowdStrike, financial records also linked USDoD to Brazil in mid-2024, when an individual responsible for the @equationcorp Twitter account made online payments with a Brazilian financial institution’s credit card,” the company said.
Next steps
As we mentioned earlier, CrowdStrike has already handed over all the collected information to the responsible authorities.
The company says that USDoD continues to work to obtain sensitive data from companies and institutions and then sell it or blackmail the victim into not disclosing/selling it.
“CrowdStrike Intelligence assesses that the release of information regarding the USDoD’s true identity is unlikely to change the actor’s focus in the short term, as he will likely deny the information or claim that he intentionally ‘mistakenly’ misled investigators into ultimately associating his identity with Luan BG,” the company states.
CrowdStrike researchers note that there is a continuing desire for Luan to gain recognition within the hacktivist and cybercriminal communities, so it is unlikely that Luan will stop anytime soon.
What is ransomware?
Want to understand what this ransomware we noticed here is? Follow below:
Source: Tec Mundo
I am a passionate and hardworking journalist with an eye for detail. I specialize in the field of news reporting, and have been writing for Gadget Onus, a renowned online news site, since 2019. As the author of their Hot News section, I’m proud to be at the forefront of today’s headlines and current affairs.