A cybercrime gang called Lapsus$ is tearing through tech giants around the world.
In the last few months alone, the group has claimed the scalps of Nvidia, Ubisoft, Samsung, Okta, and Microsoft.
Their brazen tactics have attracted a large following — and some powerful enemies.
Here’s what we know about the digital extortionists.
Who are the Lapsus$ hackers?
Lapsus$ first hit the headlines last December after taking credit for an attack on Brazil’s health ministry.
The group posted a message on the ministry’s website:
The internal data of the systems were copied and deleted. 50 Tb of data is in our hands. Contact us if you want the data back.
The group showed an early preference for Portuguese-speaking targets — and an apparent desire for attention.
In a January attack on one of Portugal’s biggest media conglomerates, the hackers sent a false news alert that read:
Breaking: President removed and accused of murder: Lapsus$ is Portugal’s new president.
The group has sent messages in Brazilian Portuguese and is believed to operate out of South America.
However, representatives in the gang’s Telegram channel — which has attracted over 45,000 subscribers — typically speak English. One Lapsus$ member was allegedly doxxed as a 16-year-old-boy living in the UK.
While the gang’s attacks are frequent and their victims high-profile, their tactics have been described as amateurish.
The LAPSUS$ ransomware group appear to be incredibly inexperienced with OPSEC. They posted their message boasting about access to Microsoft's internal DevOps environment *while still exfiltrating source code*. We can tell by looking at the timestamp of the files in their leak. ?♂️ https://t.co/NaU38cypUw pic.twitter.com/AryXJS12A1
— Bill Demirkapi @ ShmooCon (@BillDemirkapi) March 22, 2022
“This group appears to be a young and inexperienced group who are struggling to actually receive any payments for all of this extortion work,” researchers at Silent Push, a threat intelligence firm, wrote in a blog post.
What are their tactics?
Lapsus$ is frequently described as a ransomware group, but its methods are more akin to data extortion.
Microsoft said gang members use “a pure extortion and destruction model without deploying ransomware payloads.”
They typically focus on compromising user identities to access an organization.
These credentials enable them to access corporate systems and steal valuable data, which they use to extort the victim.
They also target organizations by recruiting company employees who can provide access to sensitive data. Lapsus$ has offered payments for insider access on the group’s Telegram channel.
The group’s other suspected methods include DNS spoofing attacks, SIM-swapping, and phishing campaigns.
Who are their targets?
The group’s early focus on Portuguese-language organizations has now expanded globally.
The recent targets include American GPU giant Nvidia, French gaming publisher Ubisoft, and South Korean tech titan Samsung.
The latest victim is authentication firm Okta.
In the Lapsus$ Telegram channel, members shared screenshots that showed Okta’s internal systems.
The LAPSUS$ ransomware group has claimed to breach Okta sharing the following images from internal systems. pic.twitter.com/eTtpgRzer7
— Bill Demirkapi @ ShmooCon (@BillDemirkapi) March 22, 2022
After initially being accused of downplaying the breach, Okta revealed that up to 366 of its clients had been affected.
In a series of blog posts, Okta’s Chief Security Officer, David Bradbury, said the hackers had compromised the systems by remotely accessing the computer of a third-party engineer.
While Bradbury told customers that no corrective actions were necessary, Okta’s response has been criticized. Shares in the company fell 10.5% on Wednesday, Reuters reports.
How can we stay safe?
The Lapsus$ crime spree has left many organizations fearful that they’ll be the next targets. If you’re one of them, Microsoft has this advice:
- Strengthen MFA implementation.
- Require healthy and trusted endpoints.
- Leverage modern authentication options for VPNs.
- Strengthen and monitor your cloud security posture.
- Improve awareness of social engineering attacks.
- Establish operational security processes in response to DEV-0537 intrusions.
Cloudflare, meanwhile, has offered advice to Okta customers who may have been affected by the breach.
These tips may have come too late for some Lapsus$ victims, but the gang has surely now become a prized scalp for cyber cops.
Get the TNW newsletter
Get the most important tech news in your inbox each week.