Account Takeover Fraud , Cybercrime , Endpoint Security

UK Police Arrest 7 Allegedly Tied to Lapsus$ Hacking Group

Lapsus$ Claimed Responsibility for Numerous Hacks, Including of Okta and Microsoft
UK Police Arrest 7 Allegedly Tied to Lapsus$ Hacking Group
Photo: City of London Police

Police in London say they've arrested seven people that the BBC reports are tied to the Lapsus$ hacking group, which has claimed responsibility for data breaches involving Okta, Microsoft, Nvidia, Ubisoft and more.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The names of the suspects have not been released. But police say the individuals range in age from 16 to 21 years old. None have been charged and all have been released "under investigation," a City of London Police spokeswoman says.

The spokeswoman says police are not identifying the hacking group, but the BBC reports it is the Lapsus$ group. After the reported arrests, members of a Lapsus$ Telegram chat group, including known accounts that have long been associated with the group, seemed to dispute the arrest reports.

Security researchers have pointed to a teenager who is 16 or 17 years old, based in England, as possibly being the leader of Lapsus$. It's not clear if he was among the individuals who might have been detained.

Earlier this year, the boy's identity and those of his immediate family members were released in a "doxxing" attack, meaning their personal information was released online in revenge for a perceived slight. Since then, his name has repeatedly surfaced on social media, as others also appear to have fostered a grudge again him.

Information Security Media Group is not identifying the suspect by either his name or his online nicknames because he appears to be a minor and it's unclear if he has been charged. Efforts to contact the boy via email were unsuccessful.

A screenshot from the website where the alleged leader of Lapsus$'s personal information was released

The arrests follow an increasingly intense hacking spree conducted by Lapsus$. Those attacks and their accompanying fallout seemed to hit their peak with the disclosure earlier this week of an attack in January that compromised data belonging to more than 300 customers of identity and access management vendor Okta.

Lapsus$ quickly came under heavy scrutiny from security researchers, many of whom reported that the group lacked robust operational security, meaning group members often failed to carefully mask their digital trail. Such OPSEC shortcomings make it more likely that researchers and law enforcement investigators can recover sufficient evidence from a hack attack or breach to discover attackers' real-world identities.

In fact, law enforcement officials were informed about the 16- or 17-year-old boy's activities in the middle of last year, around the time that source code for Electronic Arts was dumped online, says Allison Nixon, chief research officer with cybersecurity consultancy Unit 221B.

Nixon says Unit 221B has collaborated with Palo Alto Networks and other security partners, which it declined to name, to investigate Lapsus$'s activities. Between that collaboration and attackers' poor OPSEC, Nixon says, researchers have amassed a significant quantity of evidence about the group and its operations.

Lapsus$: New and Potent

First appearing in 2021, Lapsus$ swiftly generated attention by publicly dumping stolen data, extorting companies and openly offering to pay for information that helped the group breach more businesses.

The group is believed to have a connection to Brazil since some of its public posts are in Portuguese and some of its hacking targets are Brazilian.

The group's activity intensified earlier this month with a series of releases of sensitive data. The group usually posts its data breach dumps to a Telegram channel, where members regularly mock and threaten their victims.

On March 5, Lapsus$ released source code belonging to Samsung. It then dumped data belonging to LG.

Recent Victims: Microsoft and Okta

In just the past week, Lapsus$ released source code belonging to Microsoft's Bing search engine and Cortana voice assistant. The most recent batch of released data pertained to Okta, whose software is used by thousands of enterprises to manage users' identities.

The scope of that breach remains under investigation. In a Wednesday breach update, Okta reported that attackers had gained access to the laptop of a customer support engineer who worked for Sykes, which is a customer-support company based in Costa Rica, owned by Miami-based Sitel Group. Okta says attackers somehow gained access to the laptop via a remote desktop protocol connection but has not yet shared further details.

Attackers' access to the Sykes system persisted for five days in January, and they could have viewed and acted on data, including resetting passwords and multifactor authentication credentials for affected customers, Okta says. Up to 366 of its customers may have been affected, it says.

Okta has come under increasing criticism for failing to disclose the incident to customers more quickly. In its defense, the company says that it only received a summary of the digital forensic investigation from Sitel on March 17.

Sitel tells ISMG that it is still investigating the breach, together with an outside firm it retained, but said that it had contained the January breach quickly, once it came to light. The company declined to answer further questions.

"As a result of the investigation, along with our ongoing assessment of external threats, we are confident there is no longer a security risk," Sitel says. "We are unable to comment on our relationship with any specific brands or the nature of the services we provide for our clients."

Sitel's Sykes branch, which it acquired for $2.2 billion last year, provides or has provided services for a range of companies, including Apple, Cisco, Dell, DocuSign, PayPal and Splunk.

Lapsus$ Regularly Uses Social Engineering

Whether Lapsus$ may have used social engineering tactics in the Okta attack remains an open question. But both Unit 221B's Nixon and Alex Holden, founder and CISO of the Wisconsin-based cybercrime intelligence consultancy Hold Security, say some of Lapsus$'s attacks have similarities to an attack against Twitter in 2020.

In that incident, hackers socially engineered Twitter employees to gain access to an internal Twitter tool, which allowed them to take over some 130 accounts, including for such high-profile users as Elon Musk and Barack Obama.

Lapsus$ is said to be well funded, Holden says. The group also openly advertised that it would pay employees of companies to help it further its attacks. Whether this type of insider attack may have been employed against Sitel, or if it was a more straightforward type of compromise, remains unclear, he says.

"Humans are still the weakest link in our cyber defenses," Holden says.

Group Employs Numerous Tactics

But Lapsus$ also mastered a range of tricks allowing the group to access credentials, gain initial access into a network and move laterally, according to research from Microsoft.

Lapsus$, which Microsoft refers to as DEV-0537, is known for "living off the land," which refers to using native operating system tools to probe systems, the company's security researchers report in a blog post. Such tools and tactics would have made detecting the attackers' activities difficult, as would the group's skill in employing social engineering techniques.

To gain initial access, Microsoft says the group favored several tactics. These include using various techniques to compromise accounts, such as employing the RedLine password stealer, buying stolen or brute-forced credentials in underground markets, paying employees of targeted organizations to share credentials or MFA codes, searching public data breach dumps for exposed credentials, and gathering enough data about an employee in a targeted organization to phone the help desk and ask it "to reset a target’s credentials" to those of its choosing, the company says.

Unusually, Lapsus$ also openly bragged about its exploits, not least via social media posts. "Unlike most activity groups that stay under the radar, DEV-0537 doesn't seem to cover its tracks," Microsoft says.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Devon Warren-Kachelein

Devon Warren-Kachelein

Former Staff Writer, ISMG

Warren-Kachelein began her information security journey as a multimedia journalist for SecureWorld, a Portland, Oregon-based cybersecurity events and media group. There she covered topics ranging from government policy to nation-states, as well as topics related to diversity and security awareness. She began her career reporting news for a Southern California-based paper called The Log and also contributed to tech media company Digital Trends.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.