The LAPSUS$ group, reportedly made up of teenagers, suddenly appeared on the cyber scene late last year. It became one of the most well-known and notorious online ransomware groups after successfully infiltrating major corporations such as Microsoft, Samsung, Ubisoft, and Okta.
Claire Tills, Tenable's Senior Research Engineer, gained deep insight into the operations of the LAPSUS$ group. He has found that while the group's tactics are bold, illogical and poorly thought out, they have been successful in disrupting major international technology companies. This is a sobering reminder that no business is truly secure from cyberattacks, as businesses large and small have become fair game for attackers.
Lapsus$: data theft and extortion
Unlike ransomware operators, LAPSUS$ represents a growing group of cyber criminals solely focused on data theft and extortion. They gain access to victims through proven methods such as phishing and steal the most sensitive data they can find without using data-encrypting malware. The group came into the limelight when they launched an attack on Nvidia in late February. With this attack, LAPSUS$ entered the world stage for the first time and began a brief rampage of major tech companies.
Unlike other threat groups, LAPSUS$ operates solely through a private Telegram group and does not operate a dark web leak site. Through Telegram, the group announces its victims and often asks the community for suggestions on what company data to release next. Compared to the polished, standardized websites of ransomware groups (like AvosLocker, LockBit 2.0, Conti, etc.), these practices appear disorganized and immature.
DDoS attacks and security vulnerabilities
🔎 Overview of LAPSUS$ attacks (Image: Tenable)
Recently attacking a number of high-profile targets, the LAPSUS$ group has become notorious for their unconventional tactics and unpredictable methods. Early attacks included Distributed Denial of Service (DDoS) and website vandalism. But as early as Jan. 21, the LAPSUS$ group was involved in the multi-stage breach that eventually led to the Okta incident. During this maturation, the group relied heavily on classic tactics such as buying credential dumps, socially engineering help desks, and sending out multi-factor authentication (MFA) prompts to gain initial access to target companies.
"Like ransomware, extortion attacks will never end unless they become too complicated or too expensive," said Claire Tills, senior research engineer at Tenable. “Organizations should consider what defenses they have against the tactics used, how they can be hardened, and whether their response plans effectively address these incidents. While it's easy to downplay threat groups like LAPSUS$, their disruption to major international tech companies reminds us that even simple tactics can have serious repercussions.”
More at Tenable.com
About Tenable Tenable is a Cyber Exposure company. Over 24.000 companies worldwide trust Tenable to understand and reduce cyber risk. Nessus inventors have combined their vulnerability expertise in Tenable.io, delivering the industry's first platform that provides real-time visibility into and secures any asset on any computing platform. Tenable's customer base includes 53 percent of the Fortune 500, 29 percent of the Global 2000, and large government agencies.