Microsoft says digital extortion gang Lapsus$ targets cryptocurrency, too
A digital extortion gang with a murky background and unconventional methods has claimed responsibility for a string of compromises against some of the world's largest technology companies.
A digital extortion gang with a murky background and unconventional methods — one researcher called them “laughably bad” at times — has claimed responsibility for a string of compromises against some of the world’s largest technology companies.
The group, known as Lapsus$, said in a series of public posts on the messaging app Telegram this week that it had accessed Okta Inc., the San Francisco-based identity-management firm that provides authentication tools for an array of business clients. Okta said Tuesday that attackers may have viewed data from about 2.5% of its customers after breaching the laptop of an engineer at a third-party vendor.
Lapsus$ previously claimed to breach organizations including Nvidia Corp., Samsung Electronics Co., and the gaming company Ubisoft Entertainment. The group said it also accessed data from Microsoft Corp., saying it had gathered source code from the company’s Bing search engine, Bing Maps, and the Cortana digital assistant. Microsoft said attackers gained “limited access” to its systems, and that attackers had compromised a single account to gather data.
In recent years, most hacking groups have used malware to encrypt a victim's files, then demanded payment to unlock them, so-called ransomware. Sometimes the groups steal sensitive data and threaten to make it public unless they are paid.
Lapsus$ functions as a "large-scale social engineering and extortion campaign," though it does not deploy ransomware, Microsoft said. The group uses phone-based tactics to target personal email accounts at victim organizations and pays individual employees or business partners of an organization for illicit access, according to Microsoft.
Lapsus$ also is known for hijacking individual accounts at cryptocurrency exchanges to drain user holdings.
In a March 10 post on its Telegram channel, the group urged followers to provide access to a virtual private network inside their employers’ systems, or share details on how to access remote work tools. In addition, they sought access to telecommunication companies, software and gaming corporations, and Latin American phone service providers.
Joshua Shilko, a senior principal analyst at the cybersecurity firm Mandiant Inc., said Lapsus$ may have been active as early as mid-2021 when group members were posting in underground forums. "They're into the notoriety. They're interested in being in the spotlight," he said, adding that the evidence shows they are financially motivated.
In a Twitter post responding to the Lapsus$ allegation, Okta chief executive officer Todd McKinnon said the matter dated back to a January security incident.
Okta chief security officer David Bradbury on Tuesday revealed a five-day window in January when an attacker gained access to a laptop for a support engineer who worked for a third-party vendor. Bradbury also said the company had detected an unsuccessful hacking attempt in January. Okta shares fell 10.4% Wednesday, closing at $148.55 on Nasdaq.
The group’s Telegram channel posted a series of screenshots that it claimed were evidence of the hack and said that Okta wasn’t the ultimate target. “BEFORE PEOPLE START ASKING: WE DID NOT ACCESS/STEAL ANY DATABASES FROM OKTA — our focus was ONLY on okta customers. ????.”
Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, called the group's tactics "quite bizarre." Their actions, he said, "suggest that they may be kids who're in it for the lulz as much as they are the bucks." ("Lulz" is a variation of LOL, for laugh out loud).
Initial activity from the group suggested that at least some of its members were in Brazil, as that was the home nation of many of the companies first targeted, said Allan Liska, intelligence analyst at the threat-intelligence firm Recorded Future. Membership in hacking collectives is fluid, Liska said. Recorded Future hasn't observed any activity from apparent Lapsus$ members on popular Russian-speaking forums, he said.
“They seem laughably bad at times, but then here they are publishing Microsoft source code,” he said. “This may be that same mix of really talented members and some idiots. Even idiots stumble into success once in a while.”