Analysis of LAPSUS$ Intrusion Set

LAPSUS$ is a relatively new English and Portuguese speaking intrusion set that recently made the news by conducting big game hunting via single extortion schemes (data theft) on both public and private entities; some of them being Electronic Arts, The Ministry of Health (MoH) of Brazil, Microsoft or Okta. To this date, Personal Identifiable Information (PII) are less prone to get targeted and exfiltrated upon attacks, only Mercado Libre & Okta suffered such breaches. Instead, this intrusion set focuses on proprietary source code (that could however contain PII) unless not intended end-target are at play (targeting customers’ victims or to bypass MFA).

LAPSUS$ intrusion set does not encrypt victim’s data (with the exception of the MoH), though some members might have employed ransomwares in a pre-LAPSUS$ era (at least one member of the group claimed he did). In order to breach into its victims’ networks, this intrusion set employs not only advanced social engineering techniques that encompass SIM swap attacks against the telecommunication sector and spearphishing, but also the acquisition of active passwords & session tokens on specialized dark web markets and forums.

The first targeted countries were exclusively Lusophone entities. LAPSUS$ intrusion set then broadened its hunting areas to France, the United States, Argentina, South Korea and Nepal. Several industries operating in various sectors of activity have fallen victim to the schemes of the LAPSUS$ intrusion set, including a video game company, telecom/media conglomerates and high tech firms. To the best of our knowledge, the only public sector that was targeted hit several ministries of the Brazilian government.

This intrusion set made various opsec errors that were leveraged, either by members being part of LAPSUS$, or close enough to the intrusion set to conduct doxing operations. At least one of the LAPSUS$’s member has seen its identity doxed (white aka Alexander). This group seems primarily motivated by personal gains more than hacktivism. TTPs observed upon several campaigns could be categorized at the first glance into the scope of ideology (hacktivism) and/or notoriety, which could emanate from a composite group with misaligned skills and motivations. We have good reasons to believe that a more probable scenario is the leveraging of the medias as an echo chamber to increase pressure on victims to gather higher ransom amounts.

In this context, the City of London Police announced the 24th of March 2022 that seven teenagers between the ages of 16 and 21 were arrested. We don’t know if the supposedly “mastermind” of the LAPSUS$ intrusion set is amongst the seven, while all have been released under investigation, though investigations are still ongoing. LAPSUS$ admins remain active and Intrinsec CTI team currently cannot confirm what impact those investigations will have on the next operations already planned by this intrusion set.

As one could wonder, we’d like to mention that this intrusion set is not related whatsoever with the armed conflict in Ukraine.