Table of Contents
In the volatile landscape of cyber threats, new actors emerge rapidly, often employing unique or surprisingly effective tactics. One such group that gained significant notoriety between late 2021 and 2022 is the Lapsus$ extortion group, also tracked by Microsoft as Strawberry Tempest (formerly DEV-0537). Unlike traditional ransomware gangs that focus primarily on encrypting victim data, Lapsus$ carved a niche through data theft, public extortion, and disruption, often targeting high-profile global organizations. Believed to be composed primarily of teenagers from countries like the UK and Brazil, their methods, while sometimes described as rudimentary, proved remarkably successful in breaching seemingly well-defended networks. Their focus on social engineering, insider recruitment, and exploiting weak authentication mechanisms serves as a critical case study for security professionals, highlighting the persistent threat of human-centric attacks and the need for robust, multi-layered defenses. Understanding Lapsus$'s modus operandi, victimology, and effective mitigation strategies is crucial for organizations seeking to protect themselves from similar extortion-focused threats.
Origins & Evolution
Lapsus$ burst onto the scene in mid-to-late 2021, with their first widely recognized major attack targeting the Brazilian Ministry of Health in December 2021. Initial activity, possibly dating back to mid-2021, included attacks on organizations in Brazil and other South American countries, as well as Portuguese entities. The group quickly gained infamy for its brazen tactics and public communication style, primarily leveraging a Telegram channel to announce breaches, leak stolen data, recruit insiders, and even poll followers on potential targets.
The group is believed to be an international collective, relatively small in size (estimated around 7-11 members initially), with core members suspected to be teenagers based in the United Kingdom and Brazil. Despite their youth and sometimes described "script-kiddie" techniques, their success against major corporations demonstrated a significant level of determination and resourcefulness. They weren't state-sponsored espionage actors but rather financially motivated cybercriminals driven by extortion and, seemingly, a desire for notoriety and "clout."
Lapsus$'s operational tempo peaked between December 2021 and September 2022. Their high-profile attacks garnered significant media attention and prompted investigations by international law enforcement. In March 2022, the City of London Police arrested seven individuals aged 16 to 21 suspected of connections to the group. Subsequent investigations led to charges and convictions. Notably, Arion Kurtaj, considered a key figure, was deemed unfit for trial due to autism but found responsible for numerous attacks and sentenced to an indefinite stay in a secure psychiatric hospital in December 2023. Another teenage member was also convicted. A Brazilian individual was arrested in October 2022 in connection with attacks on Brazilian government entities.
Following these arrests and legal actions, the group's public activity significantly diminished after September 2022. While the core group appears largely dismantled, the tactics they popularized remain relevant, and dispersed members could potentially resurface in other cybercriminal operations. The U.S. Cyber Safety Review Board (CSRB) conducted a review of Lapsus$'s activities, releasing a report in 2023 that analyzed their methods and provided recommendations, underscoring the impact and lessons learned from this unique threat group.
Tactics & Techniques (TTPs)
Lapsus$ distinguished itself not through highly sophisticated custom malware, but by adeptly exploiting weaknesses in security processes and the human element. Their modus operandi focused heavily on gaining initial access through identity compromise and then moving quickly to exfiltrate valuable data for extortion.
Initial Access: This was the cornerstone of Lapsus$'s strategy. They employed a variety of methods, often in combination:
Social Engineering: Phishing, vishing (voice phishing), and pretexting were commonly used to trick employees or helpdesk staff into revealing credentials, approving MFA prompts, or resetting passwords. Learn about types of phishing attacks.
SIM Swapping: Hijacking a target employee's phone number to intercept MFA codes sent via SMS or voice calls.
MFA Fatigue: Bombarding a user with MFA push notifications until they inadvertently approve one.
Credential Theft/Purchase: Acquiring credentials and session tokens through infostealer malware logs (like Redline Stealer) purchased from underground markets or obtained via other breaches.
Insider Recruitment: A key differentiator. Lapsus$ openly solicited employees (and employees of third-party contractors/suppliers) via their Telegram channel, offering payment for VPN access, credentials, or assistance in bypassing security controls. They targeted staff in telecom, software, gaming, hosting, and call center companies.
Exploiting Public-Facing Systems: Targeting vulnerabilities in internet-facing infrastructure like VPNs, RDP, or collaboration tools (e.g., JIRA, Confluence, GitLab) when credentials weren't readily available. Zero day vulnerability in Forticlient VPN allows credential theft.
Supply Chain Attacks: Compromising third-party vendors or service providers (like Sitel in the Okta breach) to gain access to their ultimate target's network. Lottiefiles Lottie player npm package compromised in supply chain attack.
Post-Exploitation & Lateral Movement: Once initial access was achieved, Lapsus$ moved to solidify their foothold and access valuable data:
Reconnaissance: Using native tools and Active Directory queries to understand the network structure, identify privileged accounts, and locate sensitive data repositories (e.g., source code servers, cloud storage). Amass open source reconnaissance tool for network mapping and information gathering.
Privilege Escalation: Seeking to gain administrative rights, often targeting cloud environments (Azure AD, AWS) to create rogue admin accounts or modify permissions. What is a privilege escalation attack and how to prevent privilege escalation attacks.
Remote Access Tools: Utilizing legitimate tools like Remote Desktop Protocol (RDP) or commercial remote access software to navigate the compromised network.
Defense Evasion: Attempting to disable security tools or blend in with legitimate traffic. New ZIP file concatenation technique exploited by hackers to evade windows securi.
Actions on Objectives: The ultimate goals were data theft and extortion:
Data Exfiltration: Identifying and stealing sensitive data, primarily source code, proprietary technical information, customer databases, API keys, and internal documents. Tools like
rclonewere sometimes used for cloud data exfiltration.Extortion: Contacting victims (sometimes publicly via Telegram) and demanding payment to prevent the release of stolen data. Unlike typical ransomware, encryption of systems was not their primary tactic.
Disruption/Destruction: In some cases, Lapsus$ accessed cloud environments (like Microsoft Intune) to wipe devices or deleted resources within the victim's infrastructure, adding a destructive element to their attacks.
Communication & Infrastructure:
Telegram: Served as their primary platform for communication, announcements, data leaks, recruitment, and interaction with the public and victims.
Cloud Services: Used legitimate cloud storage services to host stolen data temporarily.
Lapsus$'s TTPs highlight a reliance on relatively low-cost, high-impact techniques that bypass traditional perimeter defenses by targeting identities and trust relationships.
MITRE ATT&CK Techniques Observed (Representative List):
|
Tactic
|
Technique ID
|
Technique Name
|
|---|---|---|
|
Reconnaissance
|
T1592
|
Gather Victim Host Information
|
|
Resource Development
|
T1586
|
Compromise Accounts
|
|
Initial Access
|
T1566
|
Phishing
|
|
Initial Access
|
T1078
|
Valid Accounts
|
|
Initial Access
|
T1133
|
External Remote Services
|
|
Initial Access
|
T1189
|
Drive-by Compromise
|
|
Initial Access
|
T1656
|
Acquire Access Broker
|
|
Execution
|
T1059.001
|
Command and Scripting Interpreter: PowerShell
|
|
Execution
|
T1059.003
|
Command and Scripting Interpreter: Windows Command Shell
|
|
Persistence
|
T1078
|
Valid Accounts
|
|
Persistence
|
T1547.001
|
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
|
|
Privilege Escalation
|
T1078
|
Valid Accounts
|
|
Privilege Escalation
|
T1484.002
|
Domain Policy Modification: Group Policy Modification
|
|
Defense Evasion
|
T1070.004
|
Indicator Removal: File Deletion
|
|
Defense Evasion
|
T1562.001
|
Impair Defenses: Disable or Modify Tools
|
|
Defense Evasion
|
T1620
|
Reflective Code Loading
|
|
Credential Access
|
T1110.001
|
Brute Force: Password Guessing
|
|
Credential Access
|
T1552.001
|
Unsecured Credentials: Credentials In Files
|
|
Credential Access
|
T1606.001
|
Forge Web Credentials: Session Cookie
|
|
Credential Access
|
T1649
|
Steal or Forge Authentication Certificates
|
|
Discovery
|
T1082
|
System Information Discovery
|
|
Discovery
|
T1083
|
File and Directory Discovery
|
|
Discovery
|
T1069.002
|
Permission Groups Discovery: Domain Groups
|
|
Discovery
|
T1482
|
Domain Trust Discovery
|
|
Lateral Movement
|
T1021.001
|
Remote Services: Remote Desktop Protocol
|
|
Collection
|
T1119
|
Automated Collection
|
|
Collection
|
T1560.001
|
Archive Collected Data: Archive via Utility
|
|
Command and Control
|
T1105
|
Ingress Tool Transfer
|
|
Exfiltration
|
T1041
|
Exfiltration Over C2 Channel
|
|
Exfiltration
|
T1567.002
|
Exfiltration Over Web Service: Exfiltration to Cloud Storage
|
|
Impact
|
T1485
|
Data Destruction
|
|
Impact
|
T1486
|
Data Encrypted for Impact (Less common, but observed indirectly)
|
|
Impact
|
T1499.004
|
Endpoint Denial of Service: System Shutdown/Reboot
|
|
Impact
|
T1531
|
Account Access Removal
|
Targets or Victimology
Lapsus$'s targeting strategy appeared opportunistic yet focused on organizations holding valuable intellectual property, customer data, or those whose disruption would garner significant attention.
Motivations: The primary drivers were financial gain through extortion (demanding payment to prevent data leaks) and achieving notoriety or "clout" within cybercriminal circles and the public eye. Unlike state-sponsored groups, espionage for geopolitical advantage was not their main goal. Their actions were often described as bold, sometimes illogical, and publicity-seeking.
Potential Impact: The consequences for victims were severe, even without traditional ransomware encryption. Key impacts included:
Data Breach: Loss of sensitive source code, proprietary algorithms, customer PII, employee credentials, and internal communications. What is personal information and how to protect personal information.
Operational Disruption: System downtime caused by attacks, device wiping, or account lockouts. The Okta breach, though limited in scope according to Okta, caused significant concern due to Okta's role in identity management.
Reputational Damage: Public exposure of security failings and data loss eroded customer and stakeholder trust.
Financial Loss: Costs associated with incident response, remediation, potential regulatory fines, and extortion payments (though it's reported they weren't always successful in collecting ransoms).
Targeted Industries: Lapsus$ demonstrated a broad reach but showed a preference for:
Technology: Major software companies (Microsoft), semiconductor manufacturers (Nvidia), electronics giants (Samsung), identity providers (Okta), and IT/consulting firms (Globant).
Telecommunications: Mobile carriers (T-Mobile, Vodafone - potential) were targeted, likely for SIM swapping capabilities and access to internal systems. T-Mobile confirms breach in Chinese cyber espionage campaign.
Gaming: Major game developers (Ubisoft, Rockstar Games) were hit, with significant source code and pre-release footage leaks.
E-commerce/Finance: Companies like Mercado Libre (Latin America) were breached.
Government: Initial attacks targeted Brazilian government entities (Ministry of Health).
Targeted Regions: While originating with a South American focus (Brazil, Portugal), their attacks quickly became global, hitting major corporations headquartered in North America (USA, Canada), Europe (UK), and Asia (South Korea).
Their victimology suggests a focus on large, recognizable organizations where a breach would be impactful and potentially yield valuable data for extortion or public release. Their willingness to target critical sectors like technology and telecommunications highlights the widespread vulnerability to their methods.
Attack Campaigns
Lapsus$ conducted a series of high-profile attacks within a relatively short timeframe, demonstrating their capability and audacity:
Brazilian Ministry of Health (December 2021): Considered their first major public attack. Lapsus$ claimed to have exfiltrated 50 TB of data, defaced websites, and disrupted COVID-19 vaccination data systems.
Impresa (January 2022): Portugal's largest media conglomerate was targeted, resulting in website shutdowns and data theft claims.
Nvidia (February 2022): The group claimed to have stolen approximately 1TB of sensitive data, including proprietary source code for GPU drivers and schematics. They leaked employee credentials and demanded Nvidia remove mining limiters from certain GPUs and open-source their drivers.
Samsung (March 2022): Lapsus$ leaked around 190GB of confidential data, allegedly including source code related to Samsung Galaxy devices, bootloader information, and algorithms for biometric authentication.
Mercado Libre / Mercado Pago (March 2022): The Latin American e-commerce and payment giant confirmed unauthorized access, with Lapsus$ claiming access to source code and data for around 300,000 users.
Ubisoft (March 2022): The gaming company acknowledged a "cyber security incident" causing temporary disruption. Lapsus$ claimed responsibility but didn't leak significant data initially, suggesting a potentially less successful intrusion compared to others.
Okta (January/March 2022): Lapsus$ compromised an account belonging to an engineer at Sitel, a third-party contractor for Okta. They posted screenshots showing access to Okta's internal systems. Okta stated the impact was limited to a small percentage of customers. This breach raised significant concerns about supply chain security.
Microsoft (March 2022): Lapsus$ claimed to have compromised a single employee account, gaining limited access. They subsequently leaked around 37GB of data purported to be source code for components of Bing, Bing Maps, and Cortana.
Globant (March 2022): The software development firm confirmed unauthorized access after Lapsus$ leaked data allegedly belonging to the company.
T-Mobile (March 2022): Lapsus$ claimed multiple breaches, attempting to access FBI/DoD accounts via T-Mobile systems (unsuccessfully) but managing to exfiltrate source code repositories.
Uber (September 2022): The ride-sharing company suffered a breach initiated via social engineering of an employee, reportedly involving MFA fatigue. Lapsus$ gained access to internal systems, including Slack and potentially HackerOne bug bounty reports.
Rockstar Games (September 2022): In a major leak, Lapsus$ released extensive pre-release footage (around 90 videos) of the highly anticipated Grand Theft Auto VI. Later leaks potentially included source code for GTA V and VI.
These campaigns illustrate Lapsus$'s focus on valuable data (especially source code), their use of public platforms for extortion, and their ability to breach major, security-conscious organizations. What is a cyber incident response plan, what should a CIRP have.
Defenses
Defending against a threat actor like Lapsus$, which heavily relies on exploiting human factors and identity compromise, requires a multi-layered strategy focusing on strengthening authentication, mitigating insider risks, enhancing monitoring, and fostering a security-aware culture. Generic defenses alone are insufficient; specific measures targeting Lapsus$-like TTPs are crucial.
Strengthen Authentication & Access Management:
Phishing-Resistant MFA: Implement strong MFA for all users (employees, contractors, partners) across all services (VPN, cloud, internal apps). Prioritize phishing-resistant methods like FIDO2 security keys or certificate-based authentication over easily phishable methods like SMS, voice calls, or simple push notifications.
Number Matching & Geolocation: Configure MFA push notifications to require number matching or show geographic location context to help users identify fraudulent prompts.
Reduce Token Lifespans: Minimize the validity period for session tokens to limit the window of opportunity for attackers using stolen tokens.
Conditional Access Policies: Implement risk-based conditional access policies that scrutinize login attempts based on location, device health, and user behavior. Block logins from anonymizing services or unexpected geolocations.
Principle of Least Privilege: Rigorously enforce least privilege access. Users and service accounts should only have the permissions essential for their roles. Regularly review and revoke unnecessary privileges.
Privileged Access Management (PAM): Implement PAM solutions to secure, manage, and monitor privileged accounts and sessions.
Mitigate Insider & Supply Chain Risks:
Insider Threat Program: Develop a formal insider threat program that includes pre-employment screening (where permissible), ongoing monitoring using User Behavior Analytics (UBA) within SIEM tools, and clear offboarding procedures. What is user and event behavioral analytics how UBA helps security teams to identify suspicious events.
Vendor Security Assessments: Conduct thorough security assessments of third-party vendors and contractors, especially those with access to sensitive data or systems. Enforce strict security requirements contractually.
Zero Trust Architecture: Adopt a Zero Trust mindset, assuming no user or device is implicitly trusted. Continuously verify identity, device health, and context before granting access. Segment networks to limit lateral movement. Learn what is zero trust security and what are the benefits of zero trust architecture.
Enhance Monitoring & Detection:
Robust Logging: Ensure comprehensive logging across endpoints, networks, cloud environments (especially Azure AD/AWS CloudTrail), VPNs, and MFA systems. Forward logs to a central SIEM. Security logging and monitoring: the 9 web application security risk.
Behavioral Analysis: Utilize SIEM/UBA tools to detect anomalous activities such as impossible travel, unusual login times/locations, MFA bombing attempts, large data transfers, or unexpected administrative actions.
Helpdesk Monitoring: Train helpdesk staff to recognize social engineering attempts (e.g., urgent password reset requests, MFA support calls). Monitor helpdesk tickets and calls for suspicious patterns.
Endpoint Detection & Response (EDR): Deploy EDR solutions for enhanced visibility and response capabilities on endpoints.
Improve Security Awareness & Culture:
Targeted Training: Conduct regular, engaging security awareness training focused on social engineering tactics (phishing, vishing), MFA fatigue, and the importance of reporting suspicious activity. What is phishing simulation why phishing simulation is important for an organization.
SIM Swap Awareness: Educate employees, especially those with privileged access, about the risks of SIM swapping and how to protect their mobile accounts (e.g., using PINs with carriers).
Strengthen Technical Controls:
Endpoint Hardening: Harden endpoints according to recognized benchmarks (e.g., CIS, NIST).
Cloud Security Posture Management (CSPM): Use CSPM tools to continuously monitor and remediate misconfigurations in cloud environments.
Data Loss Prevention (DLP): Implement DLP solutions to monitor and block unauthorized exfiltration of sensitive data.
Immutable Backups: Maintain secure, offline, and immutable backups and regularly test restoration procedures.
Incident Response Preparedness:
Incident Response Plan: Develop and regularly test an incident response plan that specifically addresses data extortion and identity compromise scenarios.
Threat Intelligence: Leverage threat intelligence feeds (including IOCs like known Lapsus$ IPs/domains, though these change rapidly) to inform defenses and threat hunting. What is threat intelligence and why it is important.
Addressing the tactics used by Lapsus$ requires looking beyond traditional network defenses and focusing intensely on identity security, human vulnerabilities, and the extended supply chain.
Conclusion
Lapsus$ emerged as a uniquely disruptive force in the cybercrime ecosystem, demonstrating that significant damage could be inflicted without relying on traditional ransomware encryption. Their success, driven by a young cohort leveraging social engineering, insider recruitment, and identity compromise techniques, serves as a stark reminder that technical defenses alone are insufficient. They exploited seams in security processes, human trust, and the interconnectedness of supply chains to breach major global organizations, stealing valuable source code and sensitive data primarily for extortion and notoriety.
Although key members have faced legal consequences and the group's overt activity has ceased, the TTPs they popularized remain a potent threat. The Lapsus$ saga underscores the critical need for organizations to prioritize phishing-resistant MFA, implement robust insider threat programs, secure their supply chains, enhance monitoring for anomalous identity behavior, and foster a strong security culture. Vigilance against extortion-focused groups adept at manipulating the human element must remain a top priority for security professionals.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
• Automating Threat Detection and Incident Response with SOAR
• Microsoft Strikes Back Seizes Over 240 Phishing Websites in Major Crackdown
• 5 Challenges of Cyber Security in Today's Business!
• What is Supply Chain Attack? How To Prevent Supply Chain Attacks?
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 2, 2025
- April 2, 2025
- April 2, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 2, 2025
- April 2, 2025
- April 2, 2025
