Update on 13/24 at 6 p.m.: According to the BBC, British police have announced the arrest of seven teenagers aged 16 to 21 in connection with the investigation into the cybercriminal group Lapsus$. The identity of one of the group’s high-ranking members was revealed online in January following an apparent dispute with other cybercriminals.
If they wanted glory, here they are. The Lapsus$ group, virtually unknown last year, rose to the forefront of the media scene in 2022 by claiming responsibility for the hacking of several leading tech companies. This sudden fame prompted several specialized companies to publish profiles on the history and operation of this group, whose methods contrast with the habits of the ransomware groups that have been at the top of the bill for almost two years.
Noticeable first steps
The first feats of arms of the Lapsus$ group date back to December 2021 according to the analysis of the French company Sekoia. The first victims of the group are located in South America: the group thus claimed on its Telegram channel a hack that targeted the Brazilian Ministry of Health at the beginning of December 2021. The other attacks claimed by the group at this time are mainly concentrated in the Portuguese-speaking area, including private entities, television companies and organizations based in Portugal and in various South American countries. The first claims of the group are also written in Portuguese and English, the group having subsequently opted for English as its targets became more international. But as Sekoia notes: “There are indications that the group uses machine translation tools to communicate in Portuguese. »
Before claiming attacks under the name of Lapsus$, the members of the group nevertheless seem to have been involved in other hacks during the year 2021 as noted by Sekoia’s analyses. “The group appears to have a connection to a threat actor named ‘4c3’ who has been active on multiple cybercrime forums since at least May 2021.” Among the feats of arms of the 4c3 group, we can cite in particular the hacking of the company Electronic Arts in June 2021 which led to the dissemination of several gigabytes of internal data.
In several messages posted on forums claiming responsibility for the attack, the 4v3 account stated that the group’s new name would henceforth be Lapsus$. In addition to this first link, Sekoia indicates that an address of a cryptocurrency wallet used to extort EA in May 2021 was subsequently reused in several extortion cases claimed by the Lapsus$ group.
No ransomware on the horizon
Unlike many cybercriminal groups, the Lapsus$ group is not a fan of ransomware, the malicious software that encrypts the target’s data and paralyzes the information system. While in some cases the group has used this type of tool, most of their activity focuses on data theft for extortion purposes. The goal is to trick victims into paying to prevent the data from being published on their Telegram channel. With just over 43,000 subscribers today, this Telegram channel is also one of the specific elements of Lapsus$, which prefers to use this means of communication rather than the usual hidden sites on the Tor network.
The group uses this Telegram channel to interact directly with its community, for example by asking them to vote to decide which data will be disseminated by the group in priority. Another Telegram channel created by the group also serves as a space for exchange and recruitment for people who want to carry out malicious activities online.
In a blog post, Microsoft’s security teams profiled the methods used by Lapsus$ in its attacks. To succeed in compromising the first machines of its targets, the group has thus resorted to several techniques: Microsoft notes the use of the Redline malware to steal an employee’s passwords and session cookies, the purchase of these words passwords and session cookies from other cybercriminal actors (a tactic that had been used in particular to attack EA in 2021), the corruption of employees within the victim company or the use of sim techniques swapping.
The cloud in the viewfinder
Once this first access has been obtained, the members of the Lapsus$ group seek to deepen their access to the victim’s network by exploiting unpatched vulnerabilities or by getting their hands on identifiers left in free aces. It is interesting to note that in this phase, the members of the group mainly use tools freely available on the Internet for their operations (Microsoft cites the use of the AD Explorer tool and Mimikatz). The group is known to use social engineering techniques, for example by posing as an employee of the company’s IT support services to gain access.
The group is also targeting accounts with permissions to company resources on the public cloud, whether on Azure or AWS. If it succeeds, Microsoft indicates that the group exploits this access both to exfiltrate the stolen data to their own infrastructure, but also to set up a rule redirecting all emails received and sent through Office365 to an account controlled by Lapsus$. All while deleting the company’s other cloud administrator accounts in order to be alone on board. Once the data has been exfiltrated, the group also undertakes actions aimed at deleting data and resetting systems, which generally triggers incident response processes within the company (which the group does not hesitate to listen to when he can.)
The limelight
If the group intrigues researchers, it is because it is capable of both sophisticated level hacking and the worst rookie mistakes. Sekoia thus notes the multiple occasions that have led the group to reveal clues about its members: account names left in screenshots claiming attack, IP addresses reused in different attacks, the reuse of certain cryptocurrency wallets and even internal conflicts. causing certain members to divulge information about the identity of other members of the group. The group reveals a certain amateurism that is rarely seen among players specializing in ransomware. “Most established ransomware groups follow a modus operandi with an established business model. Lapsus$ is more like a startup with a team of talented offensive security specialists who look at targets from an opportunistic perspective, with their approach to monetization evolving based on the specific target,” said Ken Westin, director of Cybereason’s security strategy.
Thus, the group’s economic model is based on extortion, but there is no evidence that the recent attacks carried out by Lapsus$ have given rise to ransom demands. “The analysis of their behavior suggests a desire to encourage people to talk about the group, thus drawing the profile of individual(s) in search of glory and recognition” write the Sekoia analysts, who do not hesitate to comparing the group to Lulzsec, a group of cybercriminals active in 2011 and primarily driven by fame. “Based on their public persona, they also seem to like to let everyone know about these accesses. They appreciate the spotlight, which is somewhat unique,” said Joshua Shilko, Senior Principal Analyst at Mandiant.
In their last message published on their Telegram account, the group announces its intention to “take a vacation” until the end of March and indicates that its activity will therefore be reduced in the coming days. A way to go green after being the center of attention.