LAPSUS$ group that breached Nvidia is using private Telegram group finds Tenable

Claire Tills, Senior Research Engineer, Tenable.
Claire Tills, Senior Research Engineer, Tenable.
2 years ago

A deep dive into the operations of the LAPSUS$ group by Claire Tills, Senior Research Engineer at Tenable reveals that the group’s tactics, while brazen, illogical and unsophisticated, were still successful in disrupting major international technology companies. This is a sobering reminder that no organization is truly safe from cyberattacks, as large to small organizations are fair game.

The LAPSUS$ group, widely reported to consist of teenagers, exploded onto the cyber scene late last year and has become one of the most talked about and notorious online extortion groups after successfully breaching major companies like Microsoft, Samsung, Ubisoft and Okta.

Unlike ransomware operators, the LAPSUS$ group represents a growing breed of extortion-only cybercriminals, focusing exclusively on data theft and extortion by gaining access to victims through tried-and-true methods like phishing, and stealing the most sensitive data it can find without deploying data-encrypting malware. The group jumped into the limelight when it launched an attack against Nvidia in late February. With this breach, LAPSUS$ made its debut onto the global stage and started a brief tear through major technology companies.

Unlike other threat groups, LAPSUS$ solely operates through a private Telegram group and doesn’t manage a dark web leak site. It’s through Telegram that the group announces victims, often soliciting input from the broader community on which organization’s data to release next. Compared with the polished, standardized sites of ransomware groups (like AvosLocker, LockBit 2.0, Conti etc.), these practices come off as disorganized and immature.

With a string of high-profile targets lying in its wake, the LAPSUS$ group gained notoriety for its unconventional tactics and erratic methods. Early attacks featured distributed denial of service (DDoS) and website vandalism. But, as early as January 21, the LAPSUS$ group was already engaged in the multi-stage breach that eventually led to the incident at Okta. Throughout that maturation process, the LAPSUS$ group heavily leaned on classic tactics like purchasing credential dumps, social engineering help desks and spamming multifactor authentication (MFA) prompts to achieve initial access to target organizations.

“Just like ransomware, extortion attacks aren’t going anywhere until they are made too complicated or costly to conduct,” said Claire Tills, Senior Research Engineer, Tenable. “Organizations should evaluate what defenses they have in place against the tactics used, how they can be hardened and whether their response playbooks effectively account for these incidents. While it may feel easy to downplay the threat groups like LAPSUS$, their disruption of major international technology companies reminds us that even unsophisticated tactics can have a serious impact.”

Don't Miss

Tenable Highlights Toxic Cloud Trilogy at BlackHat MEA 2024

Tenable will exhibit at BlackHat MEA 2024 held from 26th to 28th
Shai Morag, Chief Product Officer, Tenable

Tenable Cloud Risk Report Sounds the Alarm on Toxic Cloud Exposures Threatening Global Organizations

Tenable released its 2024 Tenable Cloud Risk Report, which examines the critical