A dangerous hacking group is going after some of the biggest names in tech including Microsoft, Samsung, and corporate authentication company Okta as it looks to gain access to high-level IT systems used by businesses and governments around the world.
The group is called LAPSUS$ and has reportedly breached the likes of Microsoft, Samsung, Ubisoft, and NVIDIA, freely leaking company files and source code to the internet.
On Wednesday LAPSUS$ claimed to have hit its latest victim: authentication software company Okta, sending a collective shudder across IT teams at organisations that use its suite of corporate identity verification tools.
LAPSUS$ posted a series of screenshots to its Telegram group claiming them as evidence that it had access to its superuser portal that appeared to give the hackers the ability to reset passwords of Okta customers.
Okta’s share price took a hit on the news.
Chief Security Officer David Bradbury then issued a statement confirming that the screenshots did indeed prove LAPSUS$ “had access to a support engineer’s laptop”.
Bradbury downplayed the incident overall, saying Okta’s the effect on customers “is limited to the access that support engineers have” which includes access to customer data like Jira tickets, user lists and the ability to reset – but not view – passwords and multi-factor authentication settings.
LAPSUS$ mocked Bradbury’s statement, talking up the potential effects of the incident and noting the support engineer it stole the identity of had “excessive access” to Okta’s Slack instance. The group claimed to have found Amazon Web Services (AWS) keys in open Slack channels.
LAPSUS$’s motives are as-yet unclear although a Microsoft report on the group, which labeled it threat actor DEV-0537, mentions the hackers destroying data, using other information for extortion, and targeting cryptocurrency wallets.
Always watching
Microsoft’s descriptions of how LAPSUS$/DEV-0537 operates suggest a robust understanding about the operations of modern IT environments, saying the attackers run through enterprise tools like SharePoint, Confluence, Jira, GitHub, Teams, and Slack looking for credentials and sensitive information.
With escalated privileges in a company’s cloud environment, LAPSUS$ creates admin-level accounts, gains control of email, and removes other admins. In some instances, the hackers also start torching the host system, deleting “systems and resources” in order to “trigger the organisation’s incident and crisis response process”, according to Microsoft.
When the incident response team kicks into gear, LAPSUS$ sits in on the remote crisis meetings, sitting in on video calls and watching Slack to learn more about how the organisation deals with an intrusion.
LAPSUS$ wants to “leverage their access from one organisation to access the partner or supplier organisations” as it looks to get a wide foothold in a range of organisations, targeting the supply chain and trust networks of modern corporate infrastructure.
Microsoft did not identify LAPSUS$ as belonging to any nation state.
As Microsoft notes, LAPSUS$ is unusual in that it “doesn’t seem to cover its tracks” – opting instead to publicise hacking activity and recruits accomplices through mobile messaging app Telegram.
But even as the LAPSUS$ hackers hit big targets and navigate networks like professionals, poor operational security may have compromised the group and led to the discovery of its 16-year-old leader.
Just a kid
The trope of the teenager hacker is alive and well following an exclusive report from Bloomberg that claims cyber security researchers tracked down the hacker whose username is 'White' to a terrace house in Oxford, England where he lives with his mum.
Another suspected LAPSUS$ member lives in Brazil.
All told, the researchers have found seven identities linked to the hacking group, Bloomberg reported.
The LAPSUS$ Telegram group was active through much of March until Wednesday when the channel’s admin posted a message saying a few of its members “has a vacation [sic]” until the end of March, adding that LAPSUS “might be quiet for some times [sic]”.
Between admin posts, LAPSUS$’s Telegram group is filled with inane chatter from wannabe hackers, fans cheering it on, asking that they “hack TikTok next”, share memes, and generally behave like a fan club.
Because the accessibility of Telegram – as opposed to the obscure hacking forums of yore – gives the hackers access to a large fanbase, it can crowdsource activities like the recruitment of willing corporate spies.
“We recruit employees/insider [sic] at the following,” LAPSUS$ told its audience earlier this month before listing the kinds of targets it was looking for, specifically: telecommunications companies, software and gaming corporations, call centres, and server hosts.
“We are not looking for data,” the message said in all-caps. “We are looking for the employee to provide us a VPN or Citrix to the network, or some anydesk [sic].”
It then copied in the account @lapsusjobs for curious insiders to message about being paid to give away access to their employer’s systems.
More than 65,000 users have seen the recruitment message.