“LAPSUS$”, also tracked as “DEV-0537” by Microsoft’s Threat Intelligence Center (MSTIC), is a relatively new English/Portuguese-language online extortion group that gained notoriety after targeting Brazil’s Ministry of Health on December 10, 2021. This cyber-criminal gang is believed to operate out of South America (likely Brazil) and targets the networks of large organizations. The aim of the group appears to be soliciting ransom payments and threatening to leak stolen information if its extortion demands aren't met. Although this tactic is often used by ransomware gangs in an effort to get paid by the victim in return for a decryption key, it doesn’t appear that LAPSUS$ encrypts any of their stolen data.1
LAPSUS$ freely shares all of its information regarding attacks on a Telegram channel instead of on a clearnet or darkweb forum like typical ransomware gangs. The group’s Telegram channel, “LAPSUS$”, (currently 45,424 subscribers) is used for announcing new victims and leaking data and the channel “LAPSUS$ Chat” is used for open discussions.
LAPSUS$ appears to be highly sophisticated, carrying out increasingly high-profile data breaches and despite displaying advanced technical capabilities, LAPSUS$ has claimed that it is not affiliated with a state and is not politically motivated. The group started by targeting organizations in the United Kingdom, Portugal, and South America but has since expanded to organizations in government, technology, telecom, media, retail, and healthcare sectors around the world.
On March 24, 2022, seven teenagers (between the ages of 16 and 21) were arrested by the City of London Police due to their suspected affiliations with the LAPSUS$ extortion group. Despite these arrests, the group continues to carry out significant attacks. The major IT services firm Globant appears to be the latest victim of the group, exposing 70GB of source code from Globant customers.
On April 1, 2022, two other teenagers were charged with hacking crimes related to LAPSUS$. The police in London charged the 16 and 17 year-olds with three counts of unauthorized access to a computer with intent to impair the reliability of data; one count of fraud by false representation and one count of unauthorized access to a computer with intent to hinder access to data. The 16-year-old has also been charged with one count of causing a computer to perform a function to secure unauthorized access to a program.
Brazilian Ministry of Health
On December 10, 2021, over 50TB worth of data was extracted and subsequently deleted from the Brazilian MoH’s network. This data included information related to the COVID-19 pandemic including data on cases, deaths, vaccinations, and more. It took over a month to restore the highly customized system.2
On February 8, 2022, Vodafone Portugal suffered a cyberattack impacting its 4G and 5G services.3 Initially, no group claimed responsibility for the attack, which was speculated to be either a distributed denial-of-service (DDoS) or ransomware attack. LAPSUS$ had previously carried out a data breach against Portugal’s largest media company, Impresa, on January 3 and a data breach against the large Portuguese media conglomerate Confina on February 6. On February 24, LAPSUS$ took credit for the Vodafone Portugal attack on their Telegram channel.
On February 26, LAPSUS$ claimed it had recently carried out an attack against US-based graphics and computing chip manufacturer NVIDIA and successfully exfiltrated 1 TB of data from the company’s networks including schematics, drivers, and firmware.4 Later that day, the group stated it would leak the data in five parts. The group claimed that NVIDIA had attempted to launch an attack on a LAPSUS$ computer in retaliation but was ultimately unsuccessful.
Later, LAPSUS$ offered to sell a bypass for NVIDIA’s Lite Hash Rate version two for NVIDIA GA102 and GA104 GPUs to increase cryptocurrency mining rates. The group went on to demand that NVIDIA push an update to all its GeForce RTX 30 Series GPUs to remove the LHR feature. LAPSUS$ stated that if NVIDIA did not push this update, the group would leak the “HW” folder - allegedly containing another 250 GB of proprietary NVIDIA data. On March 1 LAPSUS$ added an additional requirement to NVIDIA, demanding that the company make the source code for its GPU drivers for Windows, macOS, and Linux operating systems publicly available via distribution through a free and open-source license. The group stated that if this demand was not met by March 4, the group would leak the following classified NVIDIA information related to the unreleased GeForce RTX 3090 TI.
On March 4, LAPSUS$ stated that the leak was delayed due to negotiations with an undisclosed potential buyer interested in purchasing the NVIDIA source code.
On March 4, LAPSUS$ posted a message in its official Telegram channel informing subscribers that it had carried out an attack against the large South Korean electronics company Samsung and leaked nearly 200GB of the company’s stolen internal files online, including source code used by Samsung for encryption and biometric unlocking functions on Galaxy hardware.5
On March 10, 2022, Ubisoft confirmed that a cybersecurity incident that temporarily disrupted some games, systems, and services occurred the week prior but insisted that it did not lead to any user data theft.6 When the hack was covered by the Verge on March 11, LAPSUS$ took responsibility for the attack on their Telegram channel.
On March 20, 2022, LAPSUS$ posted a screenshot claiming to have breached one of Microsoft’s Azure DevOps accounts. Later, on March 22, LAPSUS$ leaked 37 GB of stolen data which allegedly included partial source code for Bing, Bing Maps, and Cortana.7
On March 22, LAPSUS$ claimed to have remote access and superuser and admin privileges on multiple Okta systems. LAPSUS$ stated that it did not steal data from Okta and the group’s focus was rather on Okta customers. Okta claimed that the attackers may have managed to gain access to around 2.5% of Okta customers, equating to 366 total organizations.8
On March 22, the group uploaded a file on Telegram, claiming that it has the hash value of LG Electronics’ employee and service accounts. An official with the company confirmed that they believe that some email addresses of their employees were leaked.9
LAPSUS$ is known for using a pure extortion and destruction model without deploying ransomware payloads.
LAPSUS$ is also known to take over individual user accounts at cryptocurrency exchanges to drain cryptocurrency holdings.10
The group’s tactics include:
SIM-swapping to facilitate account takeover.
Phone-based social engineering.
Buying stolen credentials from underground forums and searching dumps for credentials that can be exploited to gain access to accounts.
Accessing personal email accounts of employees at target organizations.
Paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval.
Exploiting public-facing Remote Desktop Protocol (RDP).
Deploying phishing emails to gain access to accounts and networks.
The group has sought insiders who could provide remote corporate network access through a virtual private network (VPN) or virtual desktop infrastructure (VDI) credentials. The group emphasized that it was not interested in corporate data stolen from insiders but was specifically interested in network access, listing VPNs, Citrix, and AnyDesk as network access type examples.
LAPSUS$ also shared the Telegram username “Lapsusjobs” to solicit potential insiders to contact the group.
The group is actively targeting telecommunications companies, large software and/or gaming companies, call centers and business process management providers, and server hosting providers.