What happened to the Lapsus$ hackers?

[Editor’s note: This article originally appeared on the CSO Germany website on July 29.]

Claire Tills, senior research engineer at Tenable, describes the methods of the hacking group Lapsus$ as bold, illogical and poorly thought out. The criminals attacked renowned companies such as Microsoft, Samsung, Nvidia, Vodafone, Ubisoft and Okta. They stole data and sometimes used ransomware to extort their victims.

How Lapsus$ became famous

In contrast to other cybercriminal gangs, Lapsus$ organizes itself exclusively through a private Telegram group and does not operate a leak site on the dark web. As Tills wrote, the group has so far announced its next victims via Telegram. She also noted that Lapsus$ asked the community for suggestions as to which company data should be published next.

Lapsus$ garnered a lot of attention for its unconventional tactics and unpredictable methods. Early this year, for example, it was involved in the multi-stage theft of data from computer systems of the customer service provider Sitel. This in turn led to a security incident at IAM provider Okta. According to Tills, the group then relied heavily on classic tactics such as

• Initial access via purchased or publicly accessible login databases

• Password theft

• Paying employees for their access data

• Bypassing multi-factor authentication by spamming submissions or contacting the helpdesk

• Access to applications such as VPNs, Microsoft SharePoint or virtual desktops to collect additional credentials and access sensitive information

• Elevating permissions by exploiting unpatched vulnerabilities in Jira, GitLab and Confluence

• Smuggling data out via NordVPN or free file drop services and then wiping resources

• Leverage access to victim’s cloud environments to build attack infrastructure and remove all other global administrators

Does Lapsus$ stay dormant?

Although it is difficult to identify individual members of the hacking group, law enforcement agencies have been able to trace Lapsus$’s operations to a few teenagers in Brazil and the UK. From the subsequent arrests and “apparent silence from the group,” Tills concludes that the hackers are talented but inexperienced.

Lapsus$ has been quiet for a few months (although Cisco claims the group was among those responsible for a breach of its IT network in May). Tills did not speculate whether this is because some members were unmasked and arrested, or whether the teenagers simply lost interest. Instead, she concluded her report with an appeal: “Ransomware extortion attacks will never end unless they become too complicated or too costly. Organizations should consider what defenses they have against the tactics used, how they can be hardened, and whether their crisis response plans effectively take these incidents into account. Therefore, the danger emanating from hacker groups like Lapsus$ should not be downplayed. Especially since the group successfully attacked large international tech groups with simple tactics, sometimes with serious consequences.”