The company, best known for its industry-leading graphics cards, told PC Gamer: “We are aware that the threat actor took employee credentials and some Nvidia proprietary information from our systems and has begun leaking it online.”
Although the initial attack and act of stealing have already taken place, the challenges for Nvidia are far from over. First, the group that has taken responsibility for the attack on the communication platform Telegram, Lapsus$, has now made demands.
According to Videocardz.com, Lapsus$ has demanded that Nvidia makes its drivers open-source (free to access), or face more leaks. The group has also asked for money to be transferred to them via a cryptocurrency transaction so that they can receive money without it being traced by traditional financial authorities.
These asks may seem ridiculous, but the hackers have an enormous amount of Nvidia’s internal information. Laspus$ claims to have stolen 1Terebyte of data that includes a hardware folder that is a mighty 250GB, and contains information on “all recent Nvidia graphics processing unit (GPUs)” including the highly anticipated RTX 3090 Ti.
The hackers have already leaked the company’s Deep Learning Super Sampling, which is AI rendering technology, source code, upcoming architectures, and there are also rumors that the leaks have given insight into Nintendo’s upcoming hardware.
This is because Nintendo uses Nvidia’s technology in its systems. One of the leaks suggests the new technology that could be leveraged in a new iteration of the Nintendo Switch.
The damage of this cyberattack
Nvidia may lose its ability to unveil its upcoming products and the accompanying messaging that is essential for the items to resonate with its intended market. Moreover, Nvidia’s hardware information becoming commonplace could lead to replicas of its work.
On top of this, if the hackers have information on Nvidia’s upcoming projects with third parties then hard-earned client relationships could be at risk; including Xbox.
Given the scale of this attack, many organizations will begin to reflect inwardly about the impact of similar cybersecurity challenges on their organization. Fortunately, there is a number of ways that companies can protect their data.
A key part of ensuring cybersecurity is training. While this might not sound like a great response to an attack, it can stop a breach from occurring in the first place.
Writing for UNLEASH, Don Mowbray, who leads Skillsoft’s technology and developer specialization in Europe, Middle East & Africa said: “Dedicating time and resources to ensuring that technical staff are given the skills and know-how to proactively build increased resilience to cyber incidents and minimize the impact of incidents when these occur is just the start.”
Training must be extended well beyond the cybersecurity teams, and be given to all staff so that they can minimize risk for their organization. Mike Fenna, chief technology officer of Avado, wrote for UNLEASH: “When we restrict data analysts and IT security skills to a singular team at the back of the office, we do both our organizations and employees a huge disservice.”
Nonetheless, some organizations will want to enforce security measures rather than hoping staff will remember what they have learned.
Paul Keely, 12-time Microsoft MVP, explained to UNLEASH that multifactor authentication (MFA) was essential. Noting that “HR has an obligation to protect people data” and that extra authentication layer was the best way to do this, Keely wait on to use a poignant analogy.
Keely said: “If you won the lottery tomorrow, and you opened a bank account and put in $2 million, and the bank had no MFA, and they said ‘just log on with a username and password’, you wouldn’t want to keep your money there. So why would you treat HR data like that?”
Of course, the way devices are used also needs a layer of protection. Using services such as Domain Name System (DNS) protection and a permanently working virtual private network (VPN) back into the office or data center, will help verify legitimate websites and mitigate the risk of successful phishing attacks.
Each company will approach its cybersecurity measures differently. Nonetheless, all businesses are unified in the possible damage a successful cyberattack can do. The ongoing incident with Nvidia highlights the challenges and shows the need for active security measures.