Who is Lapsus$?
A prolific hacking gang has been making a name for itself with a string of cyber attacks against a range of high-profile targets. In the space of just a few days, a group known as Lapsus$ revealed that it has stolen data from big-name organisations including Microsoft and Okta.
The aim of the Lapsus$ campaign appears to be soliciting ransom payments, with threats to leak stolen information if its extortion demands aren’t met. While this tactic is a familiar one, often used by ransomware gangs as extra leverage to force victims to pay a ransom for a decryption key, in the case of Lapsus$, there’s no sign that ransomware is part of the attacks because no data is encrypted.
But that doesn’t mean that the attacks aren’t damaging: Microsoft Security notes that there’s evidence of destructive element to the attacks for victims which won’t give in to extortion demands.
Enterprise identity and access management provider Okta is one of the biggest victims of Lapsus$, in an incident in which the company says attackers may have managed accessed information of around 2.5% of Okta customers – a figure which the company says represents 366 organisations.
Okta disclosed the breach on March 22, and the company said it “contained” an attempted security breach in January. However, Lapsus$ has since claimed that is was able to access a support engineer’s laptop and have posted screenshots claiming access to systems. In a blog post, Okta says the laptop belonged to a support engineer working for a third-party provider and that Okta itself hasn’t been compromised. However, the company says it has contacted those affected.
Microsoft has also confirmed that it was compromised by Lapsus$. While the company says the attackers gained limited access, the hackers have posted a torrent file claiming to hold source code from Bing, Bing Maps, and Cortona.
While claiming Okta and Microsoft as victims has drawn eyes to Lapsus$, the group isn’t brand new, having been active since at least December 2021 and claiming a number of victims in recent months.
One of the first victims of the group was the Brazilian Ministry of Health, which saw over 50TB worth of data stolen and deleted from its systems. Among it was data relating to the Covid-19 pandemic including data on cases, deaths, vaccinations and more. It took a month before systems were up and running again.
Other victims of Lapsus$ attacks in recent months include a number of technology and gaming companies. In February, Nvidia fell victim to a cybersecurity incident that was attributed to Lapsus$. The group claims to have stolen over 1TB of data from the microchip manufacturer, including employee passwords.
Another high-profile victim of Lapsus$ is Samsung, which confirmed that data had been breached in an attack, including source code relating to Samsung Galaxy smartphones. Samsung says no personal information was stolen in the attack.
Lapsus$ also claims to have compromised video game developer Ubisoft. The company said it fell victim to a “cybersecurity incident” which forced password refresh across the organisation.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
Not much is known about Lapsus$ itself, other than that it’s a cyber criminal gang – believed to operate out of South America – that hacks into the networks of large organisations to steal data and extort payments.
Unlike ransomware gangs, which use dark web websites to publish stolen data, Lapsus$ uses a Telegram channel to share information about its attacks – and information stolen from its victims – directly with anyone who is subscribed to it.
When it comes to conducting attacks, Lapsus$ appears to be the same as many other cyber criminal operations, exploiting public-facing Remote Desktop Protocol (RDP) and deploying phishing emails to gain access to accounts and networks. The group also buys stolen credentials from underground forums and searches public dumps of usernames and passwords for credentials that can be exploited to gain access to accounts.
Lapsus$ also uses its public-facing Telegram channel to post messages, encouraging potential malicious insiders to come forward offering Virtual Private Network (VPN), Virtual Desktop Infrastructure (VDI), or Citrix credentials in exchange for an unspecified payment in an undisclosed currency.
It’s unlikely the attacks will suddenly stop – the group may even be emboldened after claiming several high-profile victims – but there are steps businesses can take to help avoid falling victim to cyber attacks by Lapsus$, or other criminal hacking groups.
This includes securing remote-working tools like VPN and RDP with strong, difficult to guess passwords and bolstering that defence with multi-factor authentication. In addition, any users who think their account has been compromised should change their password immediately. Businesses should also train staff to identify and report phishing emails.
MORE ON CYBERSECURITY