A New Threat Actor Group Emerges: Understanding Lapsus$

Patrick Barnett
Author: Patrick Barnett, CISA, CISM, CEH, CISSP, PCI QSA, PCIP
Date Published: 3 September 2024

Who is Lapsus$?

Lapsus$ is a small, unorganized multi-national threat group formed in 2021.1 The Federal Bureau of Investigation (FBI) suspects Lapsus$ has ten or eleven members, believed to be mostly teenagers. To date, Lapsus$ members have been tracked to Brazil and the UK. Many cybersecurity experts refer to Lapsus$ as script-kiddies, but they are more than script-kiddies, though certainly not as sophisticated as many other high-profile threat groups. It is crucial to understand the activities of this specific threat group, given their repeated successes in breaching security measures. Organizations must thoroughly understand Lapsus$ to proactively safeguard their data, rather than merely reacting to breaches.

Motivations

The FBI wants Lapsus$ for stealing source code from several USA-based technology companies. Like most other threat groups, Lapsus$ is solely motivated by financial gain.2 Lapsus$ has successfully attacked Microsoft, Nvidia, Samsung, Okta, Uber, Rockstar Games, the Brazilian Ministry of Health, the Argentinian e-company Mercado Libre, Ubisoft, and T-Mobile.

In March of 2022, Lapsus$ compromised a Microsoft server and exfiltrated source code for several products. The products include Bing, Bing Maps, and Cortana. Later, Lapsus$ published 9 gigabytes of this source code followed by another release of 37 gigabytes.

Microsoft later confirmed the Lapsus$ data breach but assured everyone the source code would not impact customers in any way.

Using SIM switching, Lapsus$ uses multiple attack vectors associated with MFA compromises, social engineering, and mobile device compromises. Additionally, Lapsus$ uses remote desktop tools, gains privileged credentials, and recruits insiders to help conduct their attacks. Lapsus$ advertisements on both the world wide web and dark web, have promised large and rapid payments for employees willing to assist Lapsus$ in their attacks. While insider threats have always been present, Lapsus$ has utilized this technique more effectively than other common threat groups.

The FBI wants Lapsus$ for stealing source code from several USA-based technology companies. Like most other threat groups, Lapsus$ is solely motivated by financial gain.

Lapsus$ posts stolen data and information on dark websites for sale.3 A couple of years ago, Lapsus$ attacked the messaging application Telegram and exfiltrated data on more than 45,000 subscribers. This incident underscores the importance of vigilance, as even widely used and trusted platforms can fall victim to sophisticated cyberattacks. By staying informed and prepared, organizations can better protect their sensitive information and maintain the trust of their users.

Lapsus$ Leaders

In March 2022,4 seven people between the ages of 16 and 21 were arrested by the City of London Police in the UK in an investigation of Lapsus$. Sixteen-year-old Arion Kurtaj, one of the core members, was charged alongside a 17-year-old in April 2022.5 He was later found not fit to stand trial and sentenced indefinitely to a mental hospital in the UK.

Lapsus$ made their “bones” by obtaining access to corporate credentials from privileged employees. Sometimes these credentials were acquired by recruiting insider help and then using remote desktop tools to gain network and sensitive data access. There is nothing very sophisticated about any of Lapsus$’s attack methods. The techniques are simplistic, thus the script-kiddies (unskilled) tag.

So, what is different about Lapsus$? Let us identify a few key differences:

  • They are teenagers.
  • They are unsophisticated, mostly script kiddies.
  • They use old rudimentary techniques, that unfortunately still work sometimes.
  • They recruit insiders (insiders to companies they attack) to assist.
  • Several of their members have been arrested.
  • According to most analysts, they do not appear to have ever collected many ransoms.
  • When one of the teenage threat actors is arrested, the sentencing is minimal.
  • Lapsus$ can quickly recruit additional teenagers to their threat group, even multi-nationally.
  • Lapsus$ concentrates on stealing source code and intellectual property.
  • Lapsus$, while unsophisticated, has deployed enough determination to attack some big companies successfully.

Organizations need to consider a few matters when thinking about Lapsus$. Namely, what measures can help an organization prevent or detect insiders from sharing credentials, usernames and passwords, network or VPN information, or even active sessions? Additionally, what enhanced security protocols should be implemented for internal users who repeatedly fail phishing exercises?

Reducing Risk Associated with Lapsus$

So, what should you do to reduce risk associated with Lapsus$? Without insider assistance, Lapsus$ poses little danger to most mature cybersecurity organizations. There are several ways organizations can reduce the likelihood of Lapsus$ attacks:

  • Conduct background checks on employees who manage money or have elevated credentials before hiring. Ideally, organizations should consider doing annual credit checks and drug tests.
  • Implement a Data Loss Prevention program.
  • Consider a zero-trust model and privileged access management (PAM). With PAM, failed or abnormal login attempts will generate an incident report for further investigation.
  • Use SIEM tools to monitor confidential or sensitive data.
  • Harden all endpoints using Center for Internet Security (CIS) or the National Institute for Standards and Technology (NIST) benchmarks.
  • Ensure all cloud-based infrastructures have robust logging.
  • Ensure Cloud Administrator access is configured to prevent unauthorized access to resources, and API keys have minimal permissions.
  • Use strong MFA for both cloud and remote access.
  • Deploy robust logging for the MFA infrastructure.
  • Use Geo-blocking whenever possible.
  • Ensure robust logging on VPN services and investigate all anomalies.
  • Record all helpdesk queries.
  • Avoid using SMS as an MFA vector to avoid the risk of SIM swapping.
  • Eliminate remote desktop services or gateways and utilize VPNs with MFA whenever possible.
  • Implement a cutting-edge, cloud-based solution to centralize log ingestion and AI-driven anomaly detection, continuously updating use cases with real-time threat intelligence.
  • Utilize immutable backups, and practice restorations regularly.
  • Eliminate long MFA and session token times.
  • Develop a principle of least privilege for everyone. Only give the access and tools needed to perform job functions.
  • Provide robust training for all staff.

Indicators of Compromise (IOC’s)

Organizations should utilize these indicators of compromise to prevent Lapsus$ IP addresses, hostnames or domain names from connecting to corporate networks. 

Indicator Value Indicator Type Description

104.238.222[.]158

IP address

Malicious Lapsus Network Address

108.61.173[.]214

IP address

Malicious Lapsus Network Address

185.169.255[.]74

IP address

Malicious Lapsus Network Address

VULTR-GUEST

Hostname

Threat Actor Controlled Host

hxxps://filetransfer[.]io

Domain

Free File Drop Service Used by the Threat Actor

Mitre Att&ck6

Additionally, organizations should implement a cutting-edge, cloud-based solution to centralize log ingestion and AI-driven anomaly detection, continuously updating use cases with real-time threat intelligence. Furthermore, organizations should integrate the MITRE ATT&CK framework when developing use cases, triggers, or rules for monitoring Indicators of Compromise (IOCs) internally.

Code Technique

T1482

Discovery- Domain Trust Discovery

T1018

Discovery- Remote System Discovery

T1069.002

Discovery- Groups Discovery: Domain Groups

T1016.001

Discovery- System Network Configuration Discovery

T1078.002

Privilege Escalation- Domain Accounts

T1555.005

Credential Access- Credentials from Password Stores: Password Managers

T1021.001

Lateral Movement- Remote Services: Remote Desktop Protocol

T1534

Lateral Movement- Internal Spear phishing

T1072

Execution- Software Deployment Tools

T1039

Collection- Data from Network Shared Drive

T1212.002

Collection- Data from Repositories: SharePoint

T1213:003

Collection- Data from Information Repositories: SharePoint

T1485

Impact- Data Destruction

T1567

Exfiltration- Exfiltration over Web Services

T1529

Impact- System shutdown or reboot

Impact

Lapsus$ data theft primarily targets application source code and proprietary technical information.7 This may include API keys to sensitive applications including enterprise or cloud applications. The API keys or session tokens could be used for further attacks by Lapsus$, or to sell to other threat groups for data exfiltration or ransomware attacks. InfoSec professionals must consider, as Lapsus$ matures, that they may further update their tactics and exfiltrate confidential data for financial gain. To organizations across the globe, data loss is often the worst-case scenario. Therefore, organizations must remain vigilant against Lapsus$ and secure their data by adhering to regulations and standards outlined by governing bodies. By implementing robust security measures and staying informed about evolving threats, organizations can better protect their sensitive information and mitigate the risk of data breaches.

Conclusion

Lapsus$ may have started as a group of unsophisticated teenagers, but their growing experiences may lead to more refined cyberattacks in the future. They are rapidly becoming a real threat, especially to organizations with intellectual property, source code, and confidential data. Lapsus$ can destroy client networks by shutting down virtual machines, networks, and storage facilities, and pivoting to cloud environments. Lapsus$ is unlikely to vanish from the threat landscape and may even grow in sophistication and profitability as its key members mature, acquiring more advanced skills and business acumen. Lapsus$ is no longer merely a group of wily teenagers, but a maturing threat that organizations must be on the lookout for.

Endnotes

1 BlackBerry, “Who is the Lapsus$ Group?”
2 FBI.gov, Most Wanted: LAPSUS$, 21 March 2022
3 KrebsonSecurity, “A Closer Look at the LAPSUS$ Data Extortion Group,” 23 March 2022
4 Roth, E.; “Lapsus$ Cyberattacks: The Latest News on the Hacking Group,” The Verge, 21 December 2023
5 Tidy, J.; Lapsus$:Court Finds Teenagers Carried out Hacking Spree
6 MITRE ATT&CK, ATT&CK®
7 nccgroup, LAPSUS$: Recent Techniques, Tactics and Procedures, 28 April 2022

Patrick Barnett

Is an incident response principal consultant for SecureWorks. He has more than 30 years of experience as a cybersecurity professional and specializes in network engineering with a focus on security. In previous roles, he acted as chief information security officer (CISO) and chief information officer (CIO) and has served as vice president at a large financial enterprise. Barnett is driven by a passion for seeing cybersecurity done right and is committed to aiding organizations in defining proper policies, procedures, and mechanisms to respond to security events of any size.

Additional resources