How LAPSUS$ Used Social Engineering to Infiltrate Major Tech Companies
Teenage hacker gang LAPSUS$ attacked several global corporations in a short period of time last year. It is known for using low-tech social engineering TTPs, but how exactly did it go about it?
Entering the scene in late 2021, LAPSUS$ (AKA "DEV-0537") is led by a child on the autism spectrum, a 16-year-old from England who goes by the nickname ‘White’. The organization raked in at least $14 million from hacking by mid-2022.
It is said that another member or two have roots in South America since some of LAPSUS$’s first attacks were against Brazilian organizations. The group broke into the Brazilian Health Ministry’s database, which caused disruptions for travelers who couldn’t access their deleted COVID vaccination records.
Another early hack was a Portuguese-language newspaper’s Twitter account, where they tweeted, ridiculously, “LAPSUS$ is Portugal’s new President!”. Subsequently, a Brazilian car rental company’s website was broken into and redirected to a pornographic website.
In 2022, LAPSUS$ moved on to siphoning data from large technology companies like Microsoft, Nvidia, Globant, and later, Uber, mainly for shits and giggles, as it seems. In other words, the haphazard bunch isn’t encrypting the data they steal or installing ransomware but acting as extortionists, attempting to gain high-level access through stolen credentials and then threatening to leak data unless random demands or a ransom is paid. Sometimes they just leak it anyway.
Despite the arrest of most of the gang’s seven (or so) members, these kids are still at it, thieving, exposing, and deleting massive amounts of corporate data, with social engineering at the center of their TTPs.
Social Engineering Explained
It has become increasingly common for threat actors to use social engineering to gather information about their targets before attacking. Like an electrical engineer skillfully designs, builds, and maintains electrical systems, a social engineer is a master manipulator of social systems, (i.e. people).
Social engineering can carve the first pathway into an organization; once a little information is gained (like a password or a mother’s maiden name) from a person who was deceived or simply made a mistake, the destructive actor’s authorization level is elevated. More intelligence can be collected from there, and their access continues to increase.
Social engineering can also resume in later phases of attacks, whenever needed. The most popular form of social engineering is phishing or vishing (“voice phishing”); an email or text is sent, or a phone call is made by a hacker pretending to be someone in power that they are not. Phishing is often deployed with a sense of urgency and overconfidence, aimed at tricking someone into unknowingly performing some action for the malicious purposes of the threat actor.
LAPSUS$ has utilized several social engineering tactics, such as spear phishing (super targeted phishing), paying off employees of targeted organizations through open social media recruitment, phone-based SIM swapping and MFA, and textbook criminal negotiation techniques.
Out in the Open
That fact that LAPSUS$ isn’t interested in being covert like most cyber-extortionists is an understatement. It has publicly updated groupies of its seedy plans and made recruitment requests using its 60,000-strong Telegram messaging group and social media accounts. There are countless screenshots available of their conversations and posts.
LAPSUS$ openly posted advertisements offering as much as $20,000/week to employees, contractors, suppliers, or business partners of large organizations in exchange for joining the criminal enterprise and handing over their credentials.
These recruits were told to do things like install remote management software on company computers or provide their credentials and approve MFA prompts (more on that later), allowing LAPSUS$ to perform illegal system takeovers.
Choosing to broadcast your illegal intentions is definitely unorthodox and comes with major risks, but it also allows black hats to cast a wider net of potential opportunities to achieve their illicit goals.
SIM-Swapping, MFA Fatigue, and Spear Phishing Oh My
By compromising the mobile devices of targeted employees, LAPSUS$ has been able to reissue SIM cards to themselves, a social engineering procedure known as SIM-swapping. The victim’s mobile phone provider is contacted, and social engineering tactics are deployed to convince the phone company to switch SIM cards. This is usually done by impersonating the victim using previously gathered intel – prompts like “first street you lived on”, etc. After completing this, the victim’s phone loses connection to the network, and the hackers receive all their SMS and voice calls.
According to Microsoft’s post-attack analysis, LAPSUS$ allegedly called the help desk support of an outsourced company and asked to reset privileged credentials. With the use of a few pieces of information and a native English speaker making the call, it was able to authorize the reset and gain control. Infiltration via third parties is an exploitative method due to its ability to disrupt trust in supply chain relationships and cause companies to rethink the permissions they should give to outside parties.
A successful SIM swap can facilitate another step of access, Multi-Factor Authentication (MFA). LAPSUS$’ objective then was to bypass second-factor authentication prompts sent via SMS. Afterward, they could retrieve all their targets’ passwords through applications like OnePassword.
Without a SIM swap, multi-factor authentication fatigue was used. They were eventually granted permission by sending constant MFA push alerts to a victim. This tactic can be successful if the target is distracted or confuses the notifications with authentication requests that they think might be legitimate.
Beginning with a smish (or SMS phishing text) sent to an employee, LAPSUS$’ attack on Uber in late 2022 tricked an employee into sharing their password information. Then the hackers repeatedly sent the employee MFA notifications, then sent them a message through WhatsApp pretending to be from Uber’s IT department to confirm that the login attempt was legit. Then the attack snowballed; the login allowed them to scan Uber’s intranetwork using a VPN for files that would not be available outside the VPN connection. Using Windows command line, the attackers retrieved an administrator password that gave access to a PAM tool that gave access to secrets within additional software used by Uber.
Childish chaos ensued with Uber’s private images leaked, a dick pic posted on an internal website, and employees being spammed with offensive messages.
Speaking of immature moves, a lesser discussed social engineering ploy LAPSUS$ has used is tactics of justification. After admitting to stealing 1 TB of sensitive source code from multinational graphics card company Nvidia, they called them “criminals” and “scum,” complaining that Nvidia sent ransomware in response to their attack.
This manipulation scheme “condemns the condemners,” diminishing its own actions and pointing fingers at Nvidia to say, “Look, they attacked us and asked for ransom!” which wasn’t LAPSUS$’ motivation this time.
An example of another negotiation technique is after publicly dumping a list of passwords and source code of software development company, Globant (whose high-profile clients are Facebook and Apple), LAPSUS$ arrogantly posted:
“For anyone who is interested about the poor security practices in use at Globant.com, I will expose (the following) admin credentials.”
This statement seeks to “deny the victim”, arguing that Globant isn’t a victim and deserved to be attacked due to its lack of competence in securing its data (Ridley). Neutralization statements have the power to influence and attract “vigilante” types with a distaste for large corporations over to the side of the hackers, who parade as if their malicious activities are justified.
Though disorganized and kind of random, hacker delinquents LAPSUS$ unleashed their share of mayhem onto the tech world last year. Starting with silly antics that disrupted business, the group moved on to extort massive amounts of data for notoriety and financial gain.
It employed a multitude of social engineering tactics such as SIM-swapping, MFA fatigue, spear phishing, social media recruitment, paying targeted employees, and negotiation techniques.
Though not requiring high-tech skills, cyberattacks that involve social engineering are among the most difficult to prevent. It only takes one manipulated, misled, or uninformed person handing over information to set huge breaches in motion.
Whether it is due to jail time or other reasons, these threat actors have managed to stay out of the limelight in 2023. Let’s hope it isn’t just a ‘LAPSUS$’ in its cybercriminal activities.