Who is Lapsus$, the theatrical cyber gang that attacked Okta, Samsung, and Microsoft?
The extortionists are running rampant
Who are theLapsus$hackers?
Lapsus$ firsthit the headlines last Decemberafter taking credit for an attack on Brazil’s health ministry.
The group posted a message on the ministry’s website:
The group showed an early preference for Portuguese-speaking targets — and an apparent desire for attention.
In a January attack on one of Portugal’s biggest media conglomerates, the hackerssent a false news alertthat read:
The group has sent messages in Brazilian Portuguese and is believed to operate out of South America.
However, representatives in the gang’s Telegram channel — which has attracted over 45,000 subscribers — typically speak English. One Lapsus$ member was allegedly doxxed as a 16-year-old-boy living in the UK.
While the gang’s attacks are frequent and their victims high-profile, their tactics have beendescribed as amateurish.
“This group appears to be a young and inexperienced group who are struggling to actually receive any payments for all of this extortion work,” researchers at Silent Push, a threat intelligence firm, wrote ina blog post.
What are their tactics?
Lapsus$ is frequently described as a ransomware group, but its methods are more akin to data extortion.
Microsoft saidgang members use“a pure extortion and destruction model without deploying ransomware payloads.”
They typically focus on compromising user identities to access an organization.
These credentials enable them to access corporate systems and steal valuable data, which they use to extort the victim.
They also target organizations by recruiting company employees who can provide access to sensitive data. Lapsus$ hasoffered payments for insider accesson the group’s Telegram channel.
The group’sother suspected methodsinclude DNS spoofing attacks, SIM-swapping, and phishing campaigns.
Who are their targets?
The group’s early focus on Portuguese-language organizations has now expanded globally.
The recent targets include American GPU giant Nvidia, French gaming publisher Ubisoft, and South Korean tech titan Samsung.
The latest victim is authentication firm Okta.
In the Lapsus$ Telegram channel, members shared screenshots that showed Okta’s internal systems.
After initially being accused of downplaying the breach, Okta revealed that up to366 of its clients had been affected.
In a series ofblog posts, Okta’s Chief Security Officer, David Bradbury, said thehackershad compromised the systems by remotely accessing the computer of a third-party engineer.
While Bradbury told customers that no corrective actions were necessary, Okta’s response has been criticized. Shares in the company fell 10.5% on Wednesday,Reuters reports.
How can we stay safe?
The Lapsus$ crime spree has left many organizations fearful that they’ll be the next targets. If you’re one of them,Microsoft hasthis advice:
Cloudflare, meanwhile, has offeredadvice to Okta customerswho may have been affected by the breach.
These tips may have come too late for some Lapsus$ victims, but the gang has surely now become a prized scalp for cyber cops.
Story byThomas Macaulay
Thomas is a senior reporter at TNW. He covers European tech, with a focus on AI, cybersecurity, and government policy.Thomas is a senior reporter at TNW. He covers European tech, with a focus on AI, cybersecurity, and government policy.
Get the TNW newsletter
Get the most important tech news in your inbox each week.
