Analysis of LAPSUS$ Intrusion Set
LAPSUS$ is a relatively new English and Portuguese speaking intrusion set that recently made the news by conducting big game hunting via single extortion schemes (data theft) on both public and private entities; some of them being Electronic Arts, The Ministry of Health (MoH) of Brazil, Microsoft or Okta. To this date, Personal Identifiable Information (PII) are less prone to get targeted and exfiltrated upon attacks, only Mercado Libre & Okta suffered such breaches. Instead, this intrusion set focuses on proprietary source code (that could however contain PII) unless not intended end-target are at play (targeting customers’ victims or to bypass MFA).
LAPSUS$ intrusion set does not encrypt victim’s data (with the exception of the MoH), though some members might have employed ransomwares in a pre-LAPSUS$ era (at least one member of the group claimed he did). In order to breach into its victims’ networks, this intrusion set employs not only advanced social engineering techniques that encompass SIM swap attacks against the telecommunication sector and spearphishing, but also the acquisition of active passwords & session tokens on specialized dark web markets and forums.
The first targeted countries were exclusively Lusophone entities. LAPSUS$ intrusion set then broadened its hunting areas to France, the United States, Argentina, South Korea and Nepal. Several industries operating in various sectors of activity have fallen victim to the schemes of the LAPSUS$ intrusion set, including a video game company, telecom/media conglomerates and high tech firms. To the best of our knowledge, the only public sector that was targeted hit several ministries of the Brazilian government.
This intrusion set made various opsec errors that were leveraged, either by members being part of LAPSUS$, or close enough to the intrusion set to conduct doxing operations. At least one of the LAPSUS$’s member has seen its identity doxed (white aka Alexander). This group seems primarily motivated by personal gains more than hacktivism. TTPs observed upon several campaigns could be categorized at the first glance into the scope of ideology (hacktivism) and/or notoriety, which could emanate from a composite group with misaligned skills and motivations. We have good reasons to believe that a more probable scenario is the leveraging of the medias as an echo chamber to increase pressure on victims to gather higher ransom amounts.
In this context, the City of London Police announced the 24th of March 2022 that seven teenagers between the ages of 16 and 21 were arrested. We don’t know if the supposedly “mastermind” of the LAPSUS$ intrusion set is amongst the seven, while all have been released under investigation, though investigations are still ongoing. LAPSUS$ admins remain active and Intrinsec CTI team currently cannot confirm what impact those investigations will have on the next operations already planned by this intrusion set.
As one could wonder, we’d like to mention that this intrusion set is not related whatsoever with the armed conflict in Ukraine.
Other analysis
Ongoing threats targeting the energy industry
Cyber Threats targetting the energy industry GuLoader Information reportKey findings In this report are presented: The origin of the malware and...
Cybercrime Threat Landscape August 2023
Here is a retrospective of the major trends observed by Intrinsec's Cyber Threat Intelligence team regarding the month of August 2023. This...
Cybercrime Threat Landscape May 2023
Here is a retrospective of the major trends observed by Intrinsec's Cyber Threat Intelligence team regarding the month of May 2023. This cybercrime...
ALPHV ransomware gang analysis
ALPHV (or BlackCat or Noberus) ransomware emerged only last December and is already considered as a genuine...
N'hésitez pas à nous contacter
Laissez-nous un message décrivant vos besoins en sécurité, ou bien contactez-nous si vous souhaitez avoir des informations concernant nos activités. Nous vous répondrons dans les meilleurs délais.
N’oubliez pas de renseigner votre adresse e-mail ou téléphone afin que nous puissions vous recontacter rapidement.