At the beginning of this week, Lapsus$ announced on Telegram that they would be releasing Microsoft source code that they had stolen. Following the announcement, Microsoft was able to intercept the gang’s source code download before it could be completed, which they stated in a blog post.
On the same day, Okta, an identity management provider, also confirmed that they too had been a victim of an attack by Lapsus$ after the gang posted images on Telegram claiming to show internal Okta applications, Jira bug ticketing system, and the company’s Slack from 21st January 2022.
Microsoft said that their security team has been tracking the group’s activity and had found that the group is “known for using a pure extortion and destruction model without deploying ransomware payloads”. The Microsoft Security team found that Lapsus$, also known as DEV-0537, first began to target organisations based in the United Kingdom and South America, and then branched out to global targets, such as organisations in the healthcare, technology and government sectors. Microsoft Security also found that Lapsus$ has been seen to target cryptocurrency exchanges in order to drain cryptocurrency holdings.
The Microsoft Security team stated that Lapsus$ also use tactics that are less frequently used by other gangs. For example, they have been known to use “phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.”
As Lapsus$ continued to hit the news throughout the week, the story began to gain attention, especially from security researchers. By the end of the week, researchers investigating the group’s activities tracked the attacks to a 16-year-old from Oxford, England. Researchers have said that the teen is known as “White” or “Breachbase” and is thought to be behind some of the most prolific Lapsus$ attacks, however, it is unclear how many attacks.
An additional seven teenagers have also been arrested in relation to Lapsus$ activity, but the motivation of the gang is still unknown.
Lapsus$ have become one of the most feared cybergangs online, and their activity has left security researchers confused and astonished. What the group’s activity and the events surrounding them highlights is that security needs to be taken seriously. It’s important that everyone understands how future hardware can help protect us and how a security-first design is essential in this.
The UKRI Digital Security by Design (DSbD) programme is supporting industry to deliver new underpinning technologies with the recently announced DSbD Technology Access programme offering developers the opportunity to understand and evaluate the resulting benefits. The initiative is helping to transition to a cybersecurity model in which technology can be secured by design in order to create a resilient, and secure foundation for a safer future.