The Rise and Evolution of Lapsus$
Mandiant researchers first noticed activity associated with the group’s name on underground forums in July 2021, talking about a video game company that the attackers claimed to have breached. Early attacks targeted cryptocurrency accounts to steal wallets and funds, however, the group quickly widened its targeting to include organizations in South America, including the compromises of the Brazilian Ministry of Health and South American telecommunications organizations.
“Things have accelerated since then,” said Shilko. “In a timeframe of a few short months we saw all the group’s malicious activity, including the Okta activity in January. Maybe they were already working on some of this stuff for a time.”
The group now targets organizations globally, including companies in the telecommunications, technology, IT services and support sectors where it can double down on damage by leveraging the access to further compromise partner or supplier organizations.
In several incidents the group has extorted its victims by threatening to leak their sensitive data unless they pay, or it has targeted individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings. However, in other cases researchers point out that money doesn’t appear to be the primary goal. In some intrusions, for instance, the group has merely leaked the data stolen from the victims without making an extortion attempt. And after targeting Nvidia, Lapsus$ asked the company to remove its lite hash rate (LHR) feature, reportedly meant to limit Ethereum mining capabilities in certain products; and also asked Nvidia to open-source its GPU drivers for macOS, Windows and Linux devices.
The threat actor follows its victims closely both before and after its compromises. In order to better understand a targeted company’s employees, team structures, help desks, crisis response workflows and supply chain relationships before launching an attack, the group will call organization help desks to trick them into resetting the target’s credentials, with the ability to answer common recovery prompts such as the “first street you lived on” or “mother’s maiden name.”
“The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure,” according to Microsoft researchers. “Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges.”
After an intrusion, the group has also been observed joining the victim’s crisis communication calls and Slack or Teams internal discussion boards to understand how incident response is being carried out, helping the group better understand the victim’s state of mind or their knowledge of the extent of the intrusion.