BlueVoyant Monitoring the Cyber Criminal Group Lapsus$

March 22, 2022 | 2 min read

BlueVoyant

In light of the Okta breach reported early Tuesday, BlueVoyant is closely monitoring the group that claimed credit, Lapsus$. Our threat intelligence team has been analyzing and following the financially-motivated cyber criminal group for some time to understand their tactics, potential targets, and how to prevent their attacks.

What We Know Thus Far

This is not the first high profile attack in which Lapsus$ has claimed responsibility. Other targets include the recent NVIDIA, Samsung, and Microsoft cyber attacks, plus more than one dozen victims in Portugal and across Latin America, according to BlueVoyant’s research.

According to BlueVoyant’s threat intelligence, Lapsus$ is likely focusing on key cloud providers and other important industries, including telecommunications, large software companies, and server hosts.

Late Monday, screenshots were shared online on a Telegram channel connected to Lapsus$, indicating they had likely gained access to Okta’s internal systems. Okta is an identity provider that enables organizations to authenticate users via its “single sign-on software” and has more than 15,000 customers, according to the company. It also manages about 100 million log-ins.

BlueVoyant independently reviewed the posts.

In response to these screenshots, Okta’s Chief Security Office, David Bradbury released the following message on Wednesday on its blog:

“As with all security incidents, there are many opportunities for us to improve our processes and our communications. I’m confident that we are moving in the right direction and this incident will only serve to strengthen our commitment to security.”

By Wednesday afternoon, it was revealed that Lapsus$ had accessed and Okta client’s employee account who had been providing customer service to Okta users, according to Okta. The hack exposed how Lapsus$ found a way to capture customers’ data without directling infiltrating Okta. After accessing the client employee’s account, Lapsus$ was then able to peep on roughly 2.5% of Okta’s customers, 366 customers, while acquiring customer information and gaining the ability to reset passwords. Okta admitted later that the breach occurred for five days, with Lapsus$ resetting passwords and codes.

Who is Lapsus$?

What makes Lapsus$ different from other high-profile cyber criminal groups is that they appear to focus on data exfiltration to extort their victims. Most similar groups use ransomware that encrypts victims’ networks. Lapsus$ thus far has communicated with the public through a dedicated Telegram channel. Many other groups instead use dark websites hosted on Tor.

According to BlueVoyant’s threat intelligence, Lapsus$ operatives appear to communicate in English and Portuguese, and circumstantial facts suggest that Lapsus$ operatives are based in Brazil and/or Portugal.

On their Telegram channel, Lapsus$ has been actively recruiting insiders at target companies to facilitate data exfiltration since March 10. The group has offered to pay these insiders.

It is currently unknown how they have obtained their alleged data.

How to Protect Yourself

Organizations are advised to watch ongoing developments and should be actively monitoring their environments including:

  • Using multi-factor authentication;
  • Review system logs for indicators of compromise/suspicious activity;
  • Limit employee access to sensitive data to only those that need access; and
  • Take this opportunity to review all important configurations of your software/service providers;

The best course of action for all organizations is to operate under a heightened sense of awareness.