Lapsus$ breaks windows instead of picking locks, and that terrifies cybersecurity experts

T-Mobile is the latest high-profile target of the Lapsus$ cybercriminal group, whose bar-brawl tactics have stoked tech industry fears of copycat attacks.

It’s hard to imagine a bunch of teenagers hacking into companies like Nvidia, Samsung and Microsoft. But that’s exactly what the Lapsus$ group has done since bursting onto the scene last year. Even though several members of the criminal hacking crew have been arrested, including an alleged 16-year-old ringleader in the U.K., experts warn we likely haven’t seen the last of Lapsus$ or its devil-may-care attitude.

Rapid7 chief data scientist Bob Rudis told README that 10 to 12 groups could follow the path laid by Lapsus$ within the next three years. “And orgs aren’t ready for that right now,” he said, as evidenced by Lapsus$’s successful break-ins to several high-profile companies with mature security operations in quick succession.

Lapsus$ doesn’t even run a smooth or sophisticated operation, based on a report from cybersecurity journalist Brian Krebs today that revealed members’ infighting and paranoia in the weeks leading up to a string of arrests last month. The group reportedly accessed dozens of gigabytes of T-Mobile source code — only to lose access to the files because a key member of the group failed to back up a cloud server. T-Mobile did not immediately respond to request for comment, but told KrebsOnSecurity that “a bad actor” was not able to steal “anything of value,” and that no customer or government data was compromised.

Moving fast and breaking things

So what sets Lapsus$ apart from many other hacking groups? For one, Lapsus$ doesn’t appear to be interested in traditional ransomware attacks. The group has instead focused on compromising a target’s network, stealing whatever it can, and then publicly releasing that data so it can brag about the successful hack on Telegram.

That isn’t the only differentiator: Other cybercriminals often rely on initial access brokers — which sell access to company networks as well as pilfered credentials and multifactor authentication bypasses — to conduct their attacks. Lapsus$ has reportedly cut out the middleman by paying disgruntled workers at target organizations for access to the company’s network. (With some exceptions, as revealed in today’s KrebsOnSecurity report.)

“Unlike most activity groups that stay under the radar,” Microsoft said in a report, Lapsus$ “doesn’t seem to cover its tracks. They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations.”

Source: Microsoft

KrebsOnSecurity reported that a core Lapsus$ member called “Oklaqq” and “WhiteDoxbin” offered “employees at AT&T, T-Mobile and Verizon up to $20,000 a week” for performing “inside jobs.” The group doesn’t seem to be exploiting zero-day vulnerabilities in popular software or conducting sophisticated phishing campaigns — it’s buying its way into networks.

Lapsus$ has also demonstrated how easy it can be to bypass multifactor authentication. Ars Technica reported last month that the group has gained access to valid credentials and then spammed the account holder with MFA requests until they’re finally granted access. This isn’t a particularly sophisticated attack, but it’s proven effective.

Microsoft said that Lapsus$ also “uses several tactics that are less frequently used by other threat actors tracked by Microsoft,” including “phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations” and “intruding in the ongoing crisis-communication calls of their targets.”

A leaked Mandiant report described how Lapsus$ gained access to identity and access management security company Okta’s internal networks, demonstrating how the members of the group move quickly through a target’s network after gaining a foothold.

Some hackers linger on networks for weeks or months before revealing themselves, typically because they want to gather as much data as they can before doing something that causes them to lose that access. Rudis told README that Lapsus$ doesn’t bother; the cybercriminals tend to start poking around the target network and exfiltrating data within minutes of compromise.

Nor does Lapsus$ seem particularly concerned about being seen as more than a bunch of script kiddies. The leaked Mandiant report showed that Lapsus$ used Bing to search for a variety of open source offensive security tools. (That spawned jokes about someone using Microsoft’s also-ran search engine being an indicator of compromise.)

The group even lost access to Microsoft’s network because one of its members bragged about having that access on Telegram and then went to sleep.

Source: Lapsus$ public Telegram chat, via KrebsOnSecurity

This seeming disinterest in losing access to Microsoft’s network highlights the group’s YOLO approach to its operations. That mindset appears to extend beyond the initial compromise or the exfiltration of victims’ data.

“The actor has been observed then joining the organization’s crisis communication calls and internal discussion boards (Slack, Teams, conference calls, and others) to understand the incident response workflow and their corresponding response,” Microsoft said. “ It is assessed this provides DEV-0537 insight into the victim’s state of mind, their knowledge of the intrusion, and a venue to initiate extortion demands.”

Microsoft noted that Lapsus$ doesn’t always make demands of its victims, however, and sometimes appears to leak stolen data without asking companies to pay for its silence first. This has made it seem like Lapsus$ is just looking to sow chaos, though the group may still be hauling in millions of dollars through their extortion efforts, according to one unconfirmed account.

“Chaos is on the track to a description of them,” Rudis said. “But I don’t think they’re agents of chaos.” Instead, he said Lapsus$ has been looking to establish its credibility — namely by publicly leaking data stolen from companies like Nvidia, Microsoft, and Samsung or bragging about compromising Okta — so it can better extort future victims.

Rudis said that many executives Lapsus$ might try to extort would probably ignore the group’s claims at first. Why believe a bunch of teenagers with a Telegram channel saying they stole the source code for your projects? Now that Lapsus$ has publicly hacked a number of mature organizations, executives may be more likely to take any extortion attempt seriously.

Simple attacks, dizzying responses

The group’s attacks might not be particularly complex, but they’re effective, and they’ve proven that several massive companies are unable to defend themselves from bored teens with access to Bing and a bunch of Bitcoin.

The extent of a Lapsus$ breach doesn’t necessarily dictate the response to it, either. Okta said on April 19 that a “globally recognized cybersecurity firm,” widely believed to be Mandiant, concluded that Lapsus$ seized control of a single workstation used by a third-party tech support vendor and only breached “two active customer tenants” in a 25-minute window of access. Yet the incident damaged Okta’s reputation and resulted in Sitel, the third-party vendor, losing Okta as a customer.

“While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognize the broad toll this kind of compromise can have on our customers and their trust in Okta,” the company said.

So what should organizations do to defend themselves? Changing MFA implementations would help prevent attackers like Lapsus$ from essentially annoying their way onto networks. MFA isn’t perfect — as Lapsus$ has demonstrated — but ditching prompt-based solutions that offer access with the press of a button could help.

Microsoft advised organizations to “strengthen and monitor [their] cloud security posture,” too, and “require healthy and trusted endpoints.” The company also said that defenders should train all employees to detect, report, and mitigate the effects of social engineering attacks as much as possible.

Solving the insider threat problem is trickier — and there might not be a technical solution to keep Lapsus$ or spinoff groups from claiming more tech giants as victims in the future.

Rudis added that while he’s not trying to praise a criminal hacking group that has caused so much harm, “the fact that this group is so brazen and is doing all the wrong stuff and is willing to operate at such speed… it’s kind of incredible.”