Cyber Incident Victim: Vodafone Turkey
Date:
Feb 2022
Location:
Portugal
Summary
A telecommunications company investigated claims by the Lapsus$ cybercrime group of stealing approximately 200 GB of proprietary source code from thousands of GitHub repositories, collaborating with law enforcement and confirming no customer data was involved. The hackers conducted a poll to determine whether to leak the code alongside data from other organizations, with prior service disruptions at the company's Portugal branch potentially linked to the incident, though a direct connection remained unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early February 2022, the cybercrime group Lapsus$ claimed responsibility for stealing approximately 200 gigabytes of source code from telecommunications company Vodafone. The hackers asserted they obtained files from around 5,000 GitHub repositories containing proprietary source code. Vodafone acknowledged these claims on February 10, 2022, confirming an active investigation in coordination with law enforcement authorities. The company clarified that the compromised repositories did not contain customer information, limiting the immediate exposure to intellectual property rather than personal data. Lapsus$ did not immediately release the allegedly stolen Vodafone material, instead creating a Telegram poll asking users to vote on whether they should leak Vodafone's code, Portuguese media company Impresa's data, or e-commerce platform MercadoLibre's information. This poll was scheduled to conclude on March 13, 2022, leaving Vodafone's data at potential risk of future exposure.
The incident followed a pattern of high-profile attacks by Lapsus$, who simultaneously claimed breaches at technology firms NVIDIA and Samsung. NVIDIA confirmed stolen employee credentials and code-signing certificates, while Samsung acknowledged theft of 190GB of Galaxy device source code. Lapsus$ typically demanded ransom payments to prevent leaks, including unconventional requests such as demanding NVIDIA open-source its GPU drivers. Vodafone Portugal had previously experienced service disruptions attributed to a cyberattack, though the article notes no confirmed connection to the Lapsus$ source code theft claims. The group's attack on Impresa caused significant operational disruption, while MercadoLibre separately confirmed a breach affecting 300,000 users alongside source code exposure. Unlike traditional ransomware operations, Lapsus$ did not deploy file-encrypting malware in these incidents, focusing instead on data theft and extortion through selective disclosure threats. Vodafone maintained public communication regarding the investigation but did not disclose technical details about the intrusion methodology or potential operational impacts beyond the confirmed source code compromise.