Lapsus$ Gains Notoriety by Claiming Responsibility for Okta and Microsoft Attacks

A digital extortion group has recently made a name for themselves by claiming responsibility for cyberattacks against distinguished targets, such as Microsoft and Okta. Earlier this week, the group confused the cybersecurity world by claiming they had gained access to the ‘super user’ admin account for Okta, an identity management platform. Both Microsoft and Okta confirmed that the group was able to compromise the account.

So, who are Lapsus$?

Previously, the groups’ main objective had appeared to be ransom payments. They would often make threats to divulge stolen data if ransom demands were not met. While the demand for ransom payments is commonly associated with ransomware, with the Lapsus$ there was no sign of ransomware as a part of the attack, and no data was found to be encrypted. 

Okta, an enterprise identity, and access management provider, claims that the attack from Lapus$ may have resulted in access to the information of around 2.5% of their customers. The group boasted by posting screenshots, that they claim were taken after they gained access to Oktas super admin account and other systems, on Telegram.

Lapsus$ claims it successfully accessed a support engineer’s laptop at Okta. However, Okta disputes this claim by stating the laptop belonged to a support engineer working for a third-party provider and that their organization was not directly compromised. Since the initial incident and announcement on March 22nd, Okta has contacted the customers affected by the attack.

Microsoft confirmed the attack but emphasized that the group had limited access. Lapsus$ disputed this claim from Microsoft by posting a torrent file that they claim contains source code for Cortona, Bing Maps, and even Bing itself. Since that posting, Microsoft has confirmed that the group has stolen approximately 40GB of source code from one of their Azure DevOps servers. Microsoft also claims that viewing the stolen source code will not result in further elevation of risk.

Lapsus$ Victims

While attacks on Microsoft and Okta have drawn attention to Lapsus$, the group is not new and has been active since December 2021. The Brazilian Ministry of Health was one of the group’s first victims in an attack that resulted in 50TB worth of data being stolen and deleted from their systems. The stolen data in this attack contained information relating to COVID-19, including data on the number of cases, deaths, and vaccination reports. The Brazilian Ministry of Health took more than a month to get their systems back up and running after the attack.

Samsung is another distinguished victim who confirmed a cyberattack but claimed that they do not expect any impact on its customers or business. Lapsus$ claimed it had compromised 190GB worth of sensitive data, including source code relating to Samsung Galaxy smartphones.

Not much information is available on the Lapsus$ group, however, some recent reports have been released linking several teenagers in London, England to the group’s activities. Unlike other ransomware groups which use the dark web to publish or sell compromised data, Lapsus$ uses a Telegram channel to divulge information about its attacks and share screenshots directly to their subscribers. The cybercriminal group uses open Telegram channels to post messages, enticing potential insiders to conduct malicious activities: offering Virtual Desktop Infrastructure (VDI), Virtual Private Network (VPN), or Citrix credentials. In return, the insiders would be reimbursed in an undisclosed currency for providing the group access.  

Securing remote-working tools such as RDP and VPN using strong passwords and multi-factor authentication, implementing a policy of least privilege, and implementing Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) are some methods to avoid falling victim to these types of cyberattacks.

Follow us on Facebook, & LinkedIn or Contact us at 406-646-2102 and get your questions answered.

Comments are closed
Our team knows the importance of the work we do for our clients. We know that our efforts have a direct impact on your productivity, profitability and success, so we take our tasks seriously! We look forward to providing your company with strong
ROI and value.