What is the Lapsus$ group and who is behind the criminal operation?
The Lapsus$ hacking group has arguably been the most prolific threat to cyber security in 2022, with numerous high-profile businesses admitting to breaches at the hands of the newcomers.
The likes of Nvidia, LG, Microsoft, and Okta are among the most notable victims of Lapsus$ in the space of just three months, and up until late March, very little has been known about the mysterious collective.
Unlike most of the ‘successful’ hackers in recent times, Lapsus$ is unique in that it doesn’t operate on a ransomware model, deploying other tactics to extort victims through financially motivated campaigns. Since the most recent supply chain attack on identity and access business Okta, the group has announced that it will be taking a hiatus, but the inner workings of Lapsus$ will be studied by cyber criminals long after the group ends for good.
Who is behind Lapsus$?
Perhaps the biggest uncertainty when it comes to analysing Lapsus$ is identifying who is behind the cyber criminal organisation. Onlookers have been left perplexed by the group that appears to be both “competent and incompetent at the same time,” according to security expert Marcus Hutchins.
On one hand, the group has claimed numerous high-profile scalps that even the most experienced cyber criminals would be proud to hang from their mantle. But the group also displays a gung-ho approach to operational security. Rather than hiding in the shadows, it advertises its activity for all to see via a public Telegram channel and even offers channel members a way to vote on which company’s data is leaked next.
“They appear to be kids but are claiming responsibility for hacking top tier companies,” said Hutchins – a thought echoed by independent security researcher Bill Demirkapi who said the group “appear to be incredibly inexperienced with OPSEC. They posted their message boasting about access to Microsoft’s internal DevOps environment while still exfiltrating source code”.
Researchers at Check Point said the Lapsus$ hackers are Portuguese and are from Brazil, saying that its first major breach was in December 2021, the month in which the operation started, and targeted Brazil’s Ministry of Health and other government agencies.
A separate breaking report from Bloomberg suggested the entire operation is being led by a 16-year-old based in Oxfordshire, UK, with other members also being based in the UK and Brazil.
UK law enforcement made seven arrests on 24 March in connection with the Lapsus$ group and the City of London Police wouldn’t immediately confirm if the 16-year-old was included. The seven arrests included individuals aged between 16 and 21; they were all released but investigations remain ongoing.
How does LAPSUS$ operate?
A breakthrough piece of research published by Microsoft in March 2022 detailed the company’s investigation into the group, uncovering the inner workings of how it operates and how it was able to breach some of the biggest organisations on the planet.
Microsoft made no reference to who was behind the group or where it was based, but said Lapsus$ was a large-scale social engineering and extortion campaign, operating on a pure extortion and destruction model.
The seemingly juvenile perception of the group juxtaposes its doubtless expertise and sophistication in carrying out attacks. Microsoft said the attack methods used by Lapsus$ were varied, elaborate, and some were used less frequently than other, more mature threat actors.
Social engineering and initial access
The social engineering tactics displayed by Lapsus$ gave the “hackers intimate knowledge” of employees and companies, Microsoft said. The goal of the group is to gain elevated access to businesses through stolen credentials that enable data theft and destructive attacks, often with an corporate extortion element.
The group was observed calling help desks, convincing them to reset account credentials after studying how they work, and dropping into crisis communication channels in platforms like Slack and Teams. This required the hackers to breach a company to understand how they respond to a security incident, responding in a way that helped them evade detection.
Lapsus$ achieves initial access through a variety of methods, including deploying the Redline password stealer and searching public code repositories for exposed credentials. It has also been found to have bought business credentials, perhaps through initial access brokers – an observation corroborated by ransomware gang Arvin Club. In other cases, Lapsus$ simply paid company employees directly for access, a tactic it openly advertised on Telegram.
The cyber criminals use remote desktop protocol (RDP) and virtual desktop infrastructure (VDI) such as Citrix to remotely access a business’ environment.
Lapsus$ bypasses multi-factor authentication (MFA) using techniques such as session token replay and spamming genuine account holders with MFA prompts after stealing their passwords.
The group said in a Telegram chat channel that spamming MFA prompts while employees are sleeping is likely to get people to approve the attempts in order to shut off the notifications.
Harvesting data and extortion tactics
Microsoft said Lapsus$ also used virtual private networks (VPNs) intelligently and in a way that demonstrated the criminals understood how cloud monitoring services detect suspicious activity. For example, it said Lapsus$ chose local egress points to prevent impossible travel alerts from being triggered.
The group also created virtual machines on victims’ cloud infrastructure to launch further attacks before locking the business out of its cloud platform entirely. Once Lapsus$ achieved total control, it would ensure all of the organisation’s inbound and outbound e-mail was forwarded to its own infrastructure, where it would harvest as much data as it could before deleting systems and resources. At this point, in some cases, Microsoft said Lapsus$ would then either extort the victims to prevent the release of the data or simply post it online publicly.
Lapsus$’s lucrative rewards
An unverified analysis of what is thought to be one of the wallet addresses associated with the Lapsus$ group, by cyber security researchers Soufiane Tahiri and Anis Haboubi, has revealed a total revenue of 3,790.62159317 in Bitcoin (€151,826,168).
The finding has not been confirmed by Lapsus$ or any other entity involved in investigations into the group, although the details of the group’s cryptocurrency wallet address were made available to members of its Telegram chat channel.
Ⓒ Future Publishing
Subscribers 0
Fans 0
Followers 0
Followers