Data extortion gang Lapsus$ has emerged as one of the most notorious groups of cyber criminals of 2022 during a hacking spree which has seen it target big name tech companies including chipmaker Nvidia, electronics giant Samsung and games publisher Ubisoft. Today Microsoft confirmed it was also a victim of a hack by Lapsus$, releasing a blog post which explained the group’s tactics in detail. But can Lapsus$ be stopped? And how has it succeeded in breaching some of the world’s most sophisticated cyber defences?
Is Lapsus$ a new kind of threat?
The methods used by Lapsus$, detailed in Microsoft’s blog post which confirmed the breach on its systems, are not complex, says Toby Lewis, global head of threat analysis at Darktrace. What is noteworthy, however, is how vocal the gang members are about who they are breaching and what they find. “Lapsus$ do not necessarily represent a new threat, but a re-emergence of the days of Anonymous and Lulzsec from the mid-2010s, where hacking was used more for notoriety and political statements than financial gain,” Lewis says.
Lapsus$’s focus on data extortion, rather than making public demands for ransom from the organisations it breaches, is reflective of the evolving tactics of ransomware gangs, says Chris Morgan, senior threat intelligence analyst at Digital Shadows.
“Many extortion groups have pivoted from using ransomware to being solely reliant on publishing stolen data as a conduit for facilitating ransoms,” he says. “Groups like Lapsus$ may have identified that this method may overall be a more efficient or easy method of facilitating ransom payments.”
The gang’s use of Telegram to communicate about its activities and taunt its victims does mark it out as unusual, says a security analyst who is tracking Lapsus$ and spoke to Tech Monitor on condition of anonymity. “Lapsus$ is very interactive, it’s very out in the open,” they say. “Its members will answer questions from their followers, they’ve almost got a bit of a fan base.”
Lapsus$ hackers are not shy of taking credit for attacks. “They’ve been very forthcoming with some data and not so forthcoming with other data,” the researcher adds. “It’s all quite chaotic, I think that’s why people are interested.”
This could also be an indicator that the group is inexperienced. “They’re not thinking about the consequences that maybe a more experienced cybercrime actor would be wary of,” the analyst adds.
How is Lapsu$ able to hack into so many high-profile tech companies?
The group is highly skilled and uses a variety of techniques to infiltrate targets, explains Lewis. “It has mostly appeared to gain access through the fraudulent use of legitimate credentials, allegedly provided by insiders to the organisations they’re targeting.” However credentials such as these could just as easily be as a result of a password leak, or the use of weak passwords more generally, he continues.
Lapsus$ could be taking advantage of credentials which are being offered up for sale by other cybercriminals. This appears to have been the case with the attack on Okta, in which the gang may have taken advantage of information leaked during a breach in January.
Social engineering appears to be a key tool for Okta, explains Morgan. “The group is notoriously brazen about its activities and has previously announced its plans for insiders at specified companies,” he says. “Announcing which organisations it intends to target certainly distinguishes the group from other cyber extortionists, who will appreciate that such a public discussion of their plans could decrease the likelihood of a successful breach.”
Is the Lapsus$ hack on Microsoft a watershed moment for cybersecurity?
The significance of the breach of Microsoft will likely be determined in the coming weeks and months, says Morgan, as Lapsus$ itself may not have had time to process and understand all the data it has stolen. “A breach of source code can be severe for a technology company, potentially allowing threat actors to gain an inside look at important intellectual property, system code and other proprietary data,” he says. (Microsoft said yesterday that it “does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”)
However, the type of hacks being carried out by Lapsus$ are unlikely to cause a seismic shift in the cybersecurity, as they rely on basic techniques rather than severe flaws in systems.
Has Lapsus$ really recruited insiders?
Insider threats are an unusual but effective attack vector for cybercriminals, says Morgan. “A malicious insider could facilitate long-term access, upload malicious software, exfiltrate data, and do so while slipping past many of the detection mechanisms that are in place for other more technical intrusions,” he says.
The Covid-19 pandemic and ensuing financial uncertainty may have made it easier to recruit such help, Morgan says. “Many workers have been forced to adapt their working practices, take reduced hours, or potentially even lose their jobs.”
How can businesses protect their systems against Lapsus$?
Lapsus$ appears to have bypassed multi-factor authentication (MFA) checks, but has done this through the use of existing credentials, rather than any complex techniques, Morgan says. This means “mitigating these attacks will come down to user awareness, of being vigilant for suspicious activity associated with their MFA and knowing of the risks of blindly accepting requests without knowing where they are from,” he argues.
This is easier said than done, particularly for large tech businesses with distributed teams in countries around the world. Better monitoring of dark web marketplaces, where stolen credentials are offered for sale, could help act as an early-warning system for businesses that might be threatened.
Can Lapsus$ be stopped?
Lapsus$’s brazen focus on the biggest names in tech is a risky strategy, Morgan says, and will have attracted the attention of governments and law enforcement agencies. “They’ve targeted the big boys and are likely fully aware that while their footprint has dramatically increased, so has the target on their backs,” he says.
Security companies have also been closely monitoring the group’s activities, and this could have an impact too, says the analyst who has been following Lapsus$ closely. “It may not bring them down, but it might scare them and put them on the back foot a little bit.”
So can Lapsus$ be stopped? Even if law enforcement agencies cannot track it down, there are signs the group may be preparing to step out of the limelight. According to a message in its Telegram group today, one of the administrators apparently announced that some of the gang members were going on vacation until the end of this month. This may be an indicator that Lapsus$ is preparing to wind down activities, at least temporarily, due to the publicity generated by recent breaches.