Lapsus$ Group

Microsoft on Tuesday confirmed that the LAPSUS$ extortion-focused hacking crew had gained “limited access” to its systems, as authentication services provider Okta revealed that nearly 2.5% of its customers have been potentially impacted in the wake of the breach.

“No customer code or data was involved in the observed activities,” Microsoft’s Threat Intelligence Center (MSTIC) said, adding that the breach was facilitated by means of a single compromised account that has since been remediated to prevent further malicious activity.

Identity and access management company Okta, which also acknowledged the breach through the account of a customer support engineer working for a third-party provider, said that the attackers had access to the engineer’s laptop during a five-day window between January 16 and 21, but that the service itself was not compromised.

“In the case of the Okta compromise, it would not suffice to just change a user’s password,” web infrastructure company Cloudflare said in a post mortem analysis of the incident. “The attacker would also need to change the hardware (FIDO) token configured for the same user. As a result, it would be easy to spot compromised accounts based on the associated hardware keys.”

LAPSUS$, which first emerged in July 2021, has been on a hacking spree in recent months, targeting a wealth of companies over the intervening period, including Impresa, Brazil’s Ministry of Health, Claro, Embratel, NVIDIA, Samsung, Mercado Libre, Vodafone, and most recently Ubisoft.

The financially motivated group’s modus operandi has been relatively straightforward: break into a target’s network, steal sensitive data, and blackmail the victim company into paying up by publicising snippets of the stolen data on their Telegram channel.

Other tactics adopted by the crew include phone-based social engineering schemes such as SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organizations, bribing employees, suppliers, or business partners of companies for access, and intruding in the ongoing crisis-response calls of their targets to initiate extortion demands.

To mitigate such incidents, Microsoft is recommending organisations to mandate multi-factor authentication (but not SMS-based), make use of modern authentication options such as OAuth or SAML, review individual sign-ins for signs of anomalous activity, and monitor incident response communications for unauthorized attendees.

If you would like any advice or would like to know more about our services, please email or telephone 02074 999 323.

Valkyrie Updates


Stay informed with the latest insights, expertise and innovations in the world of security with Valkyrie’s news, reports and white papers