Who is Lapsus$, the theatrical cyber gang that met Okta and Microsoft?

A cybercrime gang called Lapsus$ races through tech giants around the world.

In the last few months alone, the group has claimed the scalps of Nvidia, Ubisoft, Samsung, Okta, and Microsoft.

Their brazen tactics have attracted a large following – and some powerful enemies.

Here’s what we know about the digital extortionists.

who are they lapse$ Hacker?

Lapsus$ first made headlines in December last year after being blamed for an attack on Brazil’s health ministry.

The group released a message on the ministry’s website:

The internal data of the systems were copied and deleted. 50 TB of data is in our hands. Contact us if you want the data back.

The group showed a preference for Portuguese-language destinations early on — and an obvious desire for attention.

In a January attack on one of Portugal’s largest media conglomerates, hackers sent a hoax that read:

Breaking News: President Deposed and Murder Charged: Lapsus$ is Portugal’s new President.

The group has been sending messages in Brazilian Portuguese and is said to be operating out of South America.

However, representatives of the gang’s Telegram channel – which has attracted over 45,000 subscribers – usually speak English. A Lapsus$ member was allegedly doped as a 16-year-old boy living in the UK.

While the gang’s attacks are frequent and their victims high-profile, their tactics have been described as amateurish.

“This group appears to be a young and inexperienced group struggling to actually receive payment for all this extortion work,” researchers at Silent Push, a threat intelligence company, wrote in a blog post.

What are their tactics?

Lapsus$ is often described as a ransomware group, but their methods are more akin to data extortion.

Microsoft said gang members use “a pure extortion and destruction model without the use of ransomware payloads.”

They typically focus on compromising user identities to access an organization.

These credentials allow them to access company systems and steal valuable data which they use to blackmail the victim.

They also target organizations by recruiting company employees who can grant access to sensitive data. Lapsus$ has offered payments for insider access on the group’s Telegram channel.

Other suspected methods used by the group include DNS spoofing attacks, SIM swapping, and phishing campaigns.

Who are your goals?

The group’s early focus on Portuguese-speaking organizations has now expanded globally.

Recent targets include American GPU giant Nvidia, French gaming publisher Ubisoft and South Korean tech titan Samsung.

The latest victim is the authentication company Okta.

In the Lapsus$ Telegram channel, members shared screenshots showing Okta’s internal systems.

After initially being accused of downplaying the breach, Okta revealed it up to 366 of his customers were affected.

In a series of blog posts, Okta Chief Security Officer David Bradbury said the hackers compromised the systems by remotely accessing a third-party engineer’s computer.

While Bradbury advised customers that no corrective action was required, Okta’s response was criticized. Shares of the company fell 10.5% on Wednesday, Reuters reports.

How can we stay safe?

Lapsus$’s crime spree has many organizations fearing they may be the next targets. If you’re one of them, Microsoft has this advice:

  • Strengthen MFA implementation.
  • Require healthy and trusted endpoints.
  • Leverage modern authentication options for VPNs.
  • Strengthen and monitor your cloud security posture.
  • Improve awareness of social engineering attacks.
  • Establish operational security processes in response to DEV-0537 attacks.

Cloudflare, meanwhile, has been advising Okta customers who may have been affected by the breach.

These tips may have come too late for some Lapsus$ victims, but the gang has certainly become a valuable scalp for cyber cops now.

Leave a Reply

Your email address will not be published.