The world of cybersecurity is infamous for changing fast. But tactics such as those exhibited by the hacker group Lapsus$ in a series of breaches over the past month suggest there’s even less that security teams can feel certain about, experts said.
As just one example: After stealing and threatening to leak data from Nvidia in February, Lapsus$ at one point made the demand that the graphics chipmaker “completely open source” its GPU drivers for Windows, macOS and Linux. And, Lapsus$ said on Telegram, Nvidia needed to do so “from now on and forever.”
The group’s “oddball behavior” tends to “complicate companies’ responses,” said Emsisoft threat analyst Brett Callow.
Companies “will have planned what to do in the event of being hit with a $1 million cash demand,” Callow said. “However, their playbooks will almost certainly not cover a crazy scenario in which they’re asked to make their drivers open source.”
Lapsus$ has been responsible for a string of confirmed breaches over the past month, including against Nvidia, Samsung, Microsoft and a third-party Okta support provider.
Bloomberg reported Wednesday that Lapsus$ is headed by a 16-year-old who lives with his mother in England. And today, the BBC reported that the City of London Police have arrested seven teenagers in connection with the Lapsus$ group. It was unknown whether the group’s leader was among those arrested.
But while the continuance of Lapsus$ itself may be uncertain, any other threat actors that seek to emulate their approach will serve as a different type of threat that must be adjusted for.
“Old-school ransomware gangs are predictable, and companies can pre-plan their responses,” Callow said. “With Lapsus$ et al, playbooks go out the window.”
Bribing Insiders
In its post about Lapsus$ earlier this week, Microsoft pointed to a number of unconventional tactics used by the group, particularly when it comes to gaining initial access. For one thing, the group is fond of bribing insiders, Microsoft researchers said.
To gain initial access, Lapsus$ has been observed “paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval,” according to Microsoft researchers.
On his KrebsOnSecurity site, Brian Krebs also shared details on the bribery tactics used by Lapsus$. According to Krebs’ sources, the group has been working to recruit insiders through social media for several months. Messages posted by the group on Reddit offered employees at major telecoms as much as $20,000 per week for doing “inside jobs,” Krebs disclosed.
Given that Lapsus$ has been paying to gain access into companies’ environments, this means “they don’t use vulnerabilities, and don’t deploy malware to breach the organization and cause damage,” said Shahar Vaknin, who heads the threat hunting team at cybersecurity firm Hunters.
This makes many of the security tools used by companies “irrelevant,” since “there are no IOCs [indicators of compromise], no malware,” Vaknin said.
“We need to make a stronger case for the concept of zero trust — to actually assume malicious, compromised insiders — and be able to spot them,” he said.
However, this is very difficult to accomplish in practice, given that this approach tends to create a lot of false positive signals, Vaknin said.
Third-party risk
Of course, the group’s use of a third-party as a way to access larger vendors, as in the Okta incident, is nothing new, noted Yoni Shohet, cofounder and CEO of cyber firm Valence Security.
“As organizations go through digital transformation and democratization of IT, they become highly dependent on third-party integrations. We can only assume that the attackers will increasingly focus on supply chain access and third-party vendors,” Shohet said.
Lapsus$ has just borrowed that approach and put its own, unusual spin on things, experts said.
In the Okta incident, Lapsus$ did not make any demands at all — at least not on its Telegram channel — prior to posting screenshots as evidence of the breach this week.
The closest thing to a clue on motive is the group’s statement, in the Telegram post about Okta, that “for a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor.”
Lapsus$ followed up with another post on Tuesday, criticizing Okta for a number of its security measures.
But the apparent motive and target has varied by attack, as noted by Microsoft. Researchers at Microsoft — which confirmed that Lapsus$ stole some of its source code — believe that Lapsus$ is “motivated by theft and destruction.” The group has in some cases extorted victims to prevent the release of data, but in others has leaked data without making any demands, the researchers said.
In its communications about the Nvidia breach, Lapsus$ demanded that Nvidia remove an anti-cryptomining GPU feature, suggesting to some that financial motives are a factor to some degree. But the overall picture remains opaque when it comes to Lapsus$.
With a mix of financial targeting and hacking of IP, there has been “no one clear direction or motive for the group,” said Oliver Pinson-Roxburgh, CEO at cybersecurity services firm Bulletproof.
And while the future of Lapsus$ itself may be in doubt, the group did manage to become a “force to be reckoned with” in a short period of time through unconventional means, he said. Whether it’s Lapsus$ itself, or any others that emulate the group, “businesses should be prepared and learn their tactics, techniques and procedures, and monitor for attack.”