The hacker group Lapsus$ (sometimes referred to as LAPSUS$ or simply Lapsus) is a relatively newer organization in the cyber arena. The group began to garner public attention in December 2021 after some successful attacks on major corporations, where even the Department of Homeland Security felt it necessary to spend more time researching this group through the Cyber Safety Review Board (CSRB).
For reference, Lapsus$ is sometimes also referred to as the criminal organization DEV-0537 and appears to have operated primarily using a private Telegram channel. And in April, law enforcement arrested seven people in the U.K., where a 16- and 17-year-old faced charges in relation to the attacks.
Interestingly, Lapsus$ has been accused of “bold and illogical” tactics while still successfully attacking some of the world’s largest companies. Pinning the group down has also proved more difficult than expected, despite being dormant since the arrests. Lapsus$ is likely loosely knit and motivated by money, clout and notoriety. They often even used polls to determine their next move.
Therefore, keep in mind that “sophisticated” does not always mean complex, hyper-focused strategy or intricately planned work. Sometimes, the sophistication comes in the form of obfuscation and lack of any clear structure. Think of decentralization and chaos theory, and remember this nuance as you examine the group.
Let us take a look at some of Lapsus$’s tactics, techniques and procedures (TTPs) and highlight some of their known behaviors.
Not necessarily a ransomware group
Indicators of compromise (IOCs) and TTPs are admittedly still limited, but Lapsus$ developed a reputation for notoriety, using what some industry analysts call a different level of sophistication and unconventional means. Ransomware or not, the group definitively aims to exploit emotive responses from victims.
Perhaps one of the more novel techniques by the group is the active recruitment of insiders, specifically at “major mobile phone providers, large software and gaming companies, hosting firms and call centers.” The interesting approach here is not without precedent in the pre-cyber world. If you want to increase your chances of a successful crime, turn potential victims into partners. Keep in mind the larger socio-economic pressures of a worsening economy, and incentives only grow.
This is a modern-day challenge for cyber defenders. It’s no longer enough to just protect against technical security challenges. You have to manage the expectations of personnel and be on heightened alert for insiders, who may not even be disgruntled but are looking for means to fill the gaps caused by economic hardship.
Causing damage from within
Unlike ransomware groups who seek to encrypt and extort using malicious software, Lapsus$’s approach goes back to good old fashion tricks: exploit humans. Once a target has been successfully recruited or credentials are compromised, we have seen that Lapsus$ has deployed powerful remote access software to do their damage from within.
After establishing a foothold, the group begins its reconnaissance. This involves mapping out paths through Active Directory, seeking opportunities for lateral movement and gaining escalated privileges; all the expected moves you would expect a malicious actor to use. Once successful, an attacker can lock out legitimate users and compromise the confidentiality, integrity and availability of data. Similarly, once these privileges have been established and accounts compromised, a group like Lapsus$ can traverse over the organization’s virtual private network (VPN), appearing as any other legitimate user.
How would a group gain this type of access? Some methods include:
- As mentioned, entice insiders, including business partners or suppliers that may have third-party access. Acquiring their credentials gives perceived legitimate access.
- Old-fashioned reconnaissance on both the open and dark web to see if active credentials are still available for use. This includes working with other underground/dark web groups to purchase or lease working credentials.
- Passwords stealers and unauthorized access of session tokens.
Of course, so many of these methods go back to social engineering. As technical controls improve and emerging technologies such as artificial intelligence gain wider adoption, cyber defenders should not be surprised that malicious actors are going “old school” and “low tech” in their TTP approach. Old tricks work.
With so little known, what comes next?
Curious minds in the industry would certainly be keen to learn the results of the CSRB study. Examining some of the Lapsus$ Telegram exchanges with victim companies almost has a troll-like feeling to them. So until we learn more about the group, what are some protective steps organizations can take?
Do not neglect the basics. With all the new gadgetry, it is easy to forget that a strong cybersecurity culture is still your best defender. What did we learn from the Lapsus$ attacks, which have gone relatively dormant since the arrests? That “hacking the human” still produces results. Money, ideology, compromise and ego; all of these can chew away at your best people.
Appropriate access. Access management is not only about identity and physical access; it is also about privileges. Depending on your architectural structure, the right privileges could grant unfettered access across the entire estate. This begs two questions:
- Are you “over granting” privileges to persons and groups? There must be a business and security case for privileges, all managed through a risk acceptance policy, procedure and register.
- Does your system and data configuration allow unfettered access with the right credentials? In other words, if you have not appropriately segmented your network and segregated your data, you either have to accept the associated risks or, candidly, invest and make it right.
Plan for future attacks
In closing, Lapsus$ will not be the last group to exploit human flaws through a flurry of techniques in order to damage organizations. Unless we are ready to give ourselves up to the machines — not advised — we must look beyond technological controls. People must know the security risks and be treated in a manner where there is no incentive for compromise. And finally, security professionals must establish processes that users only access what they really need. With this approach, even if you do get popped, you can at least limit the blast radius.
If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.