BRASÍLIA, DF (FOLHAPRESS) – The Federal Police investigating the attack on the Ministry of Health’s systems, which took place in 2021, found evidence that the main name of the hacker group Lapsus$ in Brazil had access to PJe (electronic judicial process) credentials.
PJe is the result of a partnership between the CNJ (National Council of Justice) and several courts in the country to create a practical platform that allows digital access to procedural proceedings.
The platform covers both public operations and those that have judicial secrecy – accessible only to the parties involved and registered in the system.
The PF became suspicious of the hacker group’s improper functioning in the system after traces were found in the system left by Thiago Nathan, 24, who had been appointed by investigators as the leader of Lapsus$ in Brazil.
The report was unable to contact the Pirates’ defence.
The Popular Front arrested Nathan on October 19 in the city of Vieira de Santana, Bahia. Prior to his arrest, he was the subject of a search and seizure on August 16. During the operation at his home in Paraiba, the Palestinian police confiscated dozens of terabytes of files stored by him and found records of his cryptocurrency transactions.
In addition to the credentials, which alerted the Palestinian police, the experts involved in the investigation also found information with Nathan about a “road test,” a procedure commonly used by hackers before carrying out an attack against target systems.
Suspecting inappropriate access to PJe joins the others who fall for Nathan and the Lapsus$ group.
In Brazil, among its public sector targets, the group has carried out attacks against systems in the Ministry of Health, the CGU (Controladoria-Geral da União), the Ministry of Economy, Enap (National School of Public Administration), ANTT (Agência Nacional de Transporte Terrestre) and the PRF ( Federal Highway Police), the Post Office and the Federal Police itself.
One such attack, in December last year, shut down ConectaSUS, which is responsible for national vaccination certification.
Lapsus$ is also suspected of attacks on Localiza and Americanas companies in Brazil. Abroad, the group has come under the radar of authorities in the US, Portugal and the UK following actions against a Portuguese TV channel and Electronic Arts, Nvidia and Microsoft Azure companies.
To advance the investigation into the role of Lapsus $ in Brazil, the Palestinian police entered into an international cooperation agreement with the FBI (US Federal Police) and gained access to the content of the group’s investigation conducted by the Americans.
The PF was able, based on the shared materials, to put on paper the structure and members of the group and determine how the hackers would behave in the attacks.
Investigations also managed to establish the performance of Nathan and the closeness of the Brazilian to an Englishman who was appointed captain of Lapsus $.
The work was possible because among the materials sent to Brazil by the FBI, there are conversations between hackers via the Telegram app.
The exchange of letters shows how Nathan was frequently used by members of Lapsus$ on the outside to gain access to secret access credentials, such as those of PJe in their files.
The hacker figured prominently in the Lapsus$ structure due to his skill and knowledge of government entities in Brazil.
However, Nathan’s performance was not limited to the public sector. According to reports in the report, the messages refer to the direct participation of the Brazilian in the attack on the American technology company Nvidia.
He would provide data requested by other Lapsus$ members while trying to access the company’s systems.
As Folha showed, in addition to mapping Nathan’s performance in the attacks, the PF is also analyzing financial transactions and values held in cryptocurrencies with the hacker to conduct investigations into potential financiers or purchasers of the information he obtained.
During the investigation, the police had already found records of about R$15 million in crypto assets owned by Nathan. PF also found out that he owns a R$2 million country estate.
Part of the values, according to the investigation, stems from the sale of databases of institutions that, according to the police, he stole.
The PF is now trying to find out if the remainder came from the financiers of the attacks on the systems of public bodies and companies or from the buyers of the content stolen from the targets.
The investigation is underway at the DIP (Directorate of Police Intelligence) in PF and is being supported by experts who specialize in cybercrime and IT to analyze the material collected with Nathan.