A hacking group Lapsus$ recently made waves by releasing source codes it claimed to have stolen from Microsoft and Okta.
The group has recently been linked to cyber attacks on some high-profile targets, breaking into Vodafone, Samsung and Nvidia, among others. The cyber gang known for extortion, is threatening the release of sensitive information, if demands by its victims are not made.
Here’s a closer look at Lapsus$, its motivations, targets and some of the high-impact methods the group uses to gain access to targeted organisations.
Lapsus$ — Who are they?
Many researchers suspect that Lapsus$ origin is in South America, with the group first seen in December 2021, and their attacks were aimed at organisations in the United Kingdom and South American countries.
However, their operations have grown larger and become worldwide. The Lapsus$ group claims to exfiltrate data from various organisations and demands money for not disclosing the sensitive information to the public, similar to ransomware gangs. However, the Lapsus$ extortion group has eliminated the file encryption and machine lockout techniques used by traditional ransomware groups.
Their targets are across a range of sectors: government, technology telecom, media, retail and healthcare. It is also attacking cryptocurrency exchanges to steal cryptocurrency holdings.
How was Microsoft hacked?
The Lapsus$ group claimed this week that it has stolen data from Microsoft, adding that it had accessed source code for core Microsoft products Bing, Cortana, and Bing Maps.
In a new blog post, Microsoft has confirmed that one of their employees’ account was compromised by Lapsus$, providing limited access to source code repositories.
Microsoft’s blog post has given some clues on how these attacks took place, though the group appears to have deployed a wide variety of methods. The blog post refers to Lapsus$ as DEV-0537, and according to the tech major, the hackers rely on “large-scale social engineering and extortion campaigns against multiple organisations…”
According to Microsoft, the group relies on a “pure extortion and destruction model without deploying ransomware payloads.”
Why the Okta came into the limelight?
The Okta hack in particular is worrisome because the San Francisco-based company provides online authentication services to several prominent players such as FedEx Corp, T-Mobile, Moody’s Corp and Coinbase Global and even cloud services provider Cloudflare.
Okta stated that around 366 of its customers are impacted, though it insisted that the attackers never gained direct access to their overall system. According to Okta’s statement, hackers got access via “a machine that was logged into Okta”. The attack was detected as part of an unsuccessful attempt to compromise the account of a customer support engineer in January 2022, and Okta had alerted those at risk as part of the process at the time.
The statement claims the scenario is equivalent to one “walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard.”
According to Lotem Finkelsteen, Head of Threat Intelligence and Research at Check Point Software, “If true, the breach at Okta may explain how Lapsus$ has been able to achieve its recent string successes. Thousands of companies use Okta to secure and manage their identities. Through private keys retrieved within Okta, the cyber gang may have access to corporate networks and applications. Hence, a breach at Okta could lead to potentially disastrous consequences.”
Okta’s services are used by other players for Single Sign-On and Multi-factor Authentication to let other users log in to online apps and websites.
Who were the other targets?
The main targets are from large technology companies that operate in the telecommunications, hardware, software, and game industries. For initial access, the Lapsus$ group tries to recruit insiders from their potential targets.
For example, Covid database of the Brazilian Ministry of Health was compromised, and confidential data was stolen. Telecommunications companies Claro, Embratel, and NET were breached, and sensitive data such as customer information, infrastructure data, source code, and wiretap orders were stolen.
Nvidia confirmed that employee credentials and proprietary data such as schematics, drivers, and firmware were stolen and leaked. Again, 200 GB of proprietary source code from Vodafone was stolen.
Samsung was breached, and source code for authentication mechanisms, bootloaders, and DRM modules was stolen and leaked. Identity and Access Management company Okta was attacked, and the Lapsus$ group reset the passwords and multi-factor authentication of Okta customers. Credential hashes of user and service accounts of LG Electronics were stolen.
What are the targeted companies doing?
Microsoft said in its blog post that its cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.
“Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk,” the company added in a blog post.
The company said it is continuing investigating in to the breach and has been tracking the group’s activities for some time now.
Meanwhile, Nvidia has said it is “still working to evaluate the nature and scope of the event.”
Regarding Samsung, the group had posted screenshots showing it had access to nearly 200GB of data, including source code used by Samsung for encryption and biometric unlocking functions on Galaxy devices.
Samsung’s statement had said that no personal data belonging to employees or customers was stolen, though it said there was a security breach relating to “internal company data.”
What is the motivation behind Lapsus$?
While several eyebrows are raised on Lapsus$ itself and the group’s motivations, researchers have consistently found that it is a loose, disorganised group that is likely based in South America. But the scale and scope of the organisations Lapsus$ has been able to compromise so far indeed raise an alarm. Like, Jonathan Knudsen, Senior Software Strategist, Synopsys Software Integrity Group, believes that based on the scope and frequency of attacks, Lapus$ appears to be a well-resourced organisation, likely backed by organised crime or a nation-state.
Now, cybersecurity researchers investigating the attacks have traced them to a 16-year-old living with his mother near Oxford, England, according to a Bloomberg report. While the researchers have identified seven accounts associated with the hacking group — including one traced to another teenager in Brazil — they believe the teenager from England is the mastermind and is behind some of the major Lapsus$ hacks. The Twitter hackers turned out to be a 17-year-old Minecraft scammer and other vanity handle brokers.
Why is Lapsus$ not a ransomware group?
Although they extort money from their victims, the Lapsus$ group should not be considered a ransomware group for several reasons. That’s because a typical ransomware group creates a ransomware strain that follows similar adversary TTPs. There is no crypto or locker ransomware that one can associate with the Lapsus$ group. The Lapsus$ extortion gang does not follow the ransomware attack lifecycle. For example, ransomware groups aim to entirely stop the victim’s operations to force them into paying the demanded ransom. However, Lapsus$ victims can maintain their daily operations. In some cases, the Lapsus$ group conducted destructive cyberattacks and irreversibly damaged the victim’s data. This is an unlikely attack technique for ransomware groups.