LAPSUS$, a ‘teen’ extortion group, exposes cyber gaps in mature organizations

News Desk -

Share

The LAPSUS$ extortion group, widely reported to be made up of teenagers, exploded onto the cyber scene late last year and has since become one of the most talked about and notorious online extortion groups after successfully breaching major corporations such as Microsoft, Samsung, Ubisoft, and Okta.

“Just like ransomware, extortion attacks aren’t going anywhere until they are made too complicated or costly to conduct,” said Claire Tills, Senior Research Engineer, Tenable. “Organizations should evaluate what defenses they have in place against the tactics used, how they can be hardened and whether their response playbooks effectively account for these incidents. While it may feel easy to downplay the threat groups like LAPSUS$, their disruption of major international technology companies reminds us that even unsophisticated tactics can have a serious impact.”

Claire Tills, Senior Research Engineer at Tenable, conducted a deep dive into the operations of the LAPSUS$ group and discovered that the group’s tactics, while brazen, illogical, and unsophisticated, were still effective in disrupting major international technology companies. This is a sobering reminder that no organization, large or small, is truly safe from cyberattacks.

Unlike ransomware operators, the LAPSUS$ group is part of a growing breed of extortion-only cybercriminals, focusing solely on data theft and extortion by gaining access to victims via tried-and-true methods such as phishing and stealing the most sensitive data it can find without using data-encrypting malware. In late February, the group made headlines when it launched an attack on Nvidia. With this breach, LAPSUS$ made its global debut and began a brief tear through major technology companies.

LAPSUS$, unlike other threat groups, operates solely through a private Telegram group and does not maintain a dark web leak site. The group announces victims via Telegram, frequently soliciting feedback from the larger community on which organization’s data to release next. In comparison to the polished, standardized sites of ransomware groups (such as AvosLocker, LockBit 2.0, Conti, and others), these practices appear disorganized and immature.

The LAPSUS$ group gained notoriety for its unconventional tactics and erratic methods after a string of high-profile targets were left in its wake. DDoS attacks and website vandalism were common in the early attacks. However, as early as

January 21, the LAPSUS$ group was engaged in the multi-stage breach that eventually led to the Okta incident. To gain initial access to target organizations, the LAPSUS$ group relied heavily on traditional tactics such as purchasing credential dumps, social engineering help desks, and spamming multifactor authentication (MFA) prompts.