Lapsus$: Who, What, Where, Why, How
Lapsus$ (often stylized LAPSUS$, aka DEV-0537) is an extortionist threat group that has made headlines in 2022 due to its large-scale campaigns and teenage members.
Who?
Lapsus$ (aka DEV-0537) is a group that has breached several large companies, including Globant, Microsoft, Okta, Samsung, Vodafone, Ubisoft, Nvidia, LG, and T-M.
One reason for the widespread publicity of Lapsus$ is the age of its members. 7 people in the UK between the ages of 16 and 21 were arrested by the City of London Police in March 2022, as part of an international investigation into Lapsus$. Two have been charged.
Allegedly, the leader of Lapsus$ is a 17-year-old in the UK who goes by “White,” “Oklaqq,” “Breachbase,” and “WhiteDoxbin.”
The group appears to be script kiddies rather than sophisticated actors.
Unlike many groups that use advanced techniques to avoid detection and identification, Lapsus$ has practiced relatively poor OPSEC.
What?
Lapsus$ has targeted tech companies, including telecom, software, gaming, hosting, and call center companies.
After stealing data, Lapsus$ has sometimes extorted the companies it steals from, threatening to publish the data if they aren’t paid. At other times Lapsus$ has published the data without demanding a ransom. They haven’t used ransomware.
Lapsus$ has also performed stunts such as redirecting the website of a Brazilian car rental company to a porn site, and tweeting fake news from a Portuguese newspaper’s verified Twitter account.
It’s estimated that Lapsus$ has brought in $14 million from its efforts.
Where?
7 people have been arrested in the UK as part of an investigation into Lapsus$, and 2 have been charged. Another teen in Brazil has been tied to the group. It’s suspected that the groups members are in several nations.
When?
Lapsus$ was first observed in July 2021 when it sent spam texts, and it made headlines in February through April 2022 due to its large data leaks and the arrests of several suspected members.
Why?
It seems that Lapsus$ is more interested in fame than fortune, because it often leaks data without demanding a ransom. In several cases, there’s been no clear motive.
How?
To get credentials, Lapsus$ has socially engineered help desks to reset credentials, used the Redline password stealer, grabbed exposed credentials from public code repositories, SIM-swapped, accessed the personal email accounts of employees at target companies, and purchased credentials.
The group has bypassed MFA by using session token replays and spamming account holders with MFA prompts.
Lapsus$ has also paid employees for access to their employers’ networks.
To harvest data, Lapsus$ has compromised law enforcement email accounts, then sent fake data requests to tech companies to steal user information. Discord, Apple, and Meta have been victims.
In addition, the group has used target company VPNs, created VMs on cloud infrastructure, and forwarded target email to collect data.
After collecting data, Lapsus$ usually deletes the data in the original location.
Lapsus$ has leaked its stolen data on its Telegram channel.
