Blog Post
January 27, 2023 | From the experts
Cybersecurity lessons from the 2022 LAPSUS$ breaches
By Field Effect
2022 was an especially frustrating year for cyberattacks on companies in the tech sector. Many of these attacks were on larger companies—those with upwards of billions of dollars in revenue and thousands of employees—and many came from the same cybercrime group, LAPSUS$.
What can we learn from this series of cyberattacks? What did they have in common; how did they differ? What tactics and techniques proved effective? Most importantly, how can businesses use this information to improve cybersecurity measures for the future?
Before we answer all that, let’s dive in to a few of the more prominent LAPSUS$ breaches that shook the industry in 2022.
LAPSUS$ strikes February 2022
On February 23, 2022, rumours began to circulate that the computer hardware company NVIDIA suffered a data breach. A few days later, on the 26th, LAPSUS$ came forward to claim their role in the attack and then leaked 20 GB of company data, including intellectual property (IP) and over 70,000 hashed employee credentials.
While hashed credentials don't sound too valuable, it’s not overly difficult to use them to obtain raw passwords. A company facing this predicament would normally act quickly to reset their passwords.
The FBI acknowledges attacker activity
A week after the attack on NVIDIA, LAPSUS$ leaked 190 GB of Samsung data. According to Samsung, the breach included source code relating to Galaxy devices but not any personal information of consumers or employees.
Shortly after, on March 21, 2022, the FBI released a statement highlighting the LAPSUS$ attacks and seeking information about the rising cybercrime group.
LAPSUS$ targets the supply chain
The day after the FBI released their statement, LAPSUS$ leaked customer data from Okta, a major identity and access management provider.
Yet after posting the data and claiming the breach, it turned out that LAPSUS$ hadn’t directly breached Okta but had successfully breached an Okta partner. From there, LAPSUS$ attempted—but failed—to compromise Okta.
However, by breaching Okta’s partner, LAPSUS$ did gain access to a small amount of Okta customer data which supported their claim of breaching the company. Okta subsequently had to take significant steps to reassure customers and investors.
During the same week in March, LAPSUS$ began posting screenshots of source code that proved they’d gained access to Microsoft—and they did this while still inside the network.
Within a few hours, Microsoft posted a blog about LAPSUS$. Microsoft confirmed the breach, indicating the LAPSUS$ statements allowed their security team to intervene and shut down the data exfiltration as it happened.
What’s more, the Microsoft blog revealed much of how LAPSUS$ operated. Essentially, LAPSUS$ was exposed as a cybercrime group that used extensive social engineering techniques and common administrative tools found in any IT environment—a method known as “living off the land.”
A six-month hiatus
On September 15, about six months later, news came out that Uber suffered a significant cyberattack and, once again, LAPSUS$ claimed responsibility. The hackers posted screenshots of Uber’s key internal systems, finance, security, and IT provisioning resources.
LAPSUS$ achieved this broad-based access because, after gaining initial access to the network, they were able to find highly privileged credentials.
Three days later, Rockstar Games, the company behind Grand Theft Auto, was breached. LAPSUS$ obtained source code, screenshots, and videos from an internal Slack channel. The cybercrime group posted 90 videos to a fan site for Grand Theft Auto, disrupting the development of the series’ sixth instalment.
The downfall of LAPSUS$
Not long after the attack on Microsoft in March 2022, cybersecurity researchers identified the LAPSUS$ ringleader, a teenager from Oxfordshire, UK. On March 24, almost exactly a month after the major North American cyberattack by LAPSUS$, London police arrested seven people for their roles in the attacks.
These arrests led to the six-month hiatus. When the hackings continued in September on Uber and Rockstar Games, the police acted quickly. On September 22, City of London police arrested the ringleader for a second time.
Cyberattack methods used by LAPSUS$
Social engineering
After choosing a target organization, LAPSUS$ hackers would extensively research their target. They looked at employees and team structures, figured out how help desks and crisis response workflows worked, and analyzed supply chain relationships.
With this context, they could tailor their social engineering tricks to seem more legitimate.
Insider bribery
LAPSUS$ would also advertise offers to buy corporate credentials or enlist help from employees at certain companies. In one example, LAPSUS$ publicly announced that they were looking for insiders or employees at several telecom organizations—AT&T, Verizon, and T-Mobile—offering upwards of $20,000 per week to carry out some inside work.
SIM swapping
In some cases, that "inside work" included SIM swapping.
It’s still very common for users to receive MFA codes via text message. If the attacker could bribe an employee at a telecom company to alter records and electronically swap SIM cards between the victim’s phone and the attacker’s phone, it would temporarily reroute SMS traffic from one SIM to another.
With this, the attacker could enter the credentials to a compromised account and send the MFA code straight to their own phone. The insider would swap the SIM cards back and the user would probably not even know.
Compromised credentials
Some of the other tactics included compromising personal accounts and using them as a steppingstone to access that person’s corporate account.
For example, the attacker could reach out to the corporate help desk posing as the employee whose personal email they have access to, claiming they forgot their corporate account’s password.
When the help desk resets the credentials, the new, temporary password would likely go to the personal account the hacker already compromised.
From there, the attacker can reset the password and take over the corporate account.
Multi-factor authentication (MFA) fatigue
Another tactic used by LAPSUS$ was multi-factor authentication (MFA) fatigue. This approach consists of spamming the target with MFA prompts—simple push prompts where you can approve or deny account access.
In fact, this was how LAPSUS$ gained initial access to Uber. After spamming a male employee with MFA prompts for over an hour, all of which he denied, the attacker reached out to that employee posing as an Uber IT personnel.
The attacker explained that the prompts would stop if he approved, which he did. At this point, the attacker immediately gained access to the account with stolen credentials they’d obtained previously.
Cybersecurity lessons from the attacks
It seems that LAPSUS$ was focused on leaking information and teasing their targets. Unlike many other cybercrime groups seeking financial gain, their goal was notoriety.
LAPSUS$ was agile, creative, and very loud with their attacks. But what if they were stealthy? These breaches likely would have taken much longer to detect if LAPSUS$ didn’t publicly post about their successes.
Social engineering is still a risk
LAPSUS$ made it clear that businesses should be concerned about social engineering and its uses in cyberattacks. They focused on manipulating people instead of code.
It remains important that businesses and their employees are aware of the risks posed by phishing, spear phishing, and business email compromise, and understand red flags for identifying each tactic.
Educate employees on both technical and behavioural indicators of a social engineering scam. For example, technical indicators of a malicious email may include:
- Suspicious links: typos in the domain names, and URLs that are long or complex, are suspicious.
- Suspicious attachments: doubling file extensions (work_files.doc.exe) is a popular tactic.
- Urgent requests: social engineers may thread in urgency as part of their attack.
- Requests to alter access permissions or passwords: LAPSUS$ learned how to use reset models to their advantage, enabling initial access to a network
Pay attention to your supply chain
It’s common for businesses to outsource portions of their operations, and there are many good reasons for doing so. However, it’s important to recognize when third parties require access to sensitive data, such as customer information, and what security safeguards are required to protect that data.
Additionally, ensure that the organizations you partner with prioritize cybersecurity just as you do. Remember that the principle of least privilege—limiting the amount of access provided to only what’s necessary—applies to all insiders, including those in your supply chain.
Not all MFA is created equal
When used as part of a complete approach to cybersecurity, MFA can prevent up to 99.9% of all automated cyberattacks and 75% of targeted attacks. However, a motivated threat actor can bypass certain MFA methods more easily than others with tactics such as SIM swapping and MFA fatigue.
There are more secure MFA methodologies than sending codes via SMS or simple push prompts. We recommend instead using an authenticator app that provides you with a code through the app itself, or even a hardware token that complies with recent MFA standards.
Visibility is critical
As we always say, you can't defend what you can't see. When attackers use legitimate credentials, bypass MFA, and use real administrative tools, they are difficult to detect. Their network activity would look real and may not trigger an alert.
However, when a threat actor gains initial access to a network, they're not going to know anything about it on the inside. They’ll have to conduct well-known steps to conduct reconnaissance, move laterally, escalate privileges, and exfiltrate data.
For each step, there are certain, recognizable commands that the attacker will try to run. The right cybersecurity solution will observe these events, recognize suspicious behaviours, and give businesses a far greater chance of preventing or containing the cyberattack.
Whether you’re a managed service provider looking to better protect your clients, or a business owner hoping to strengthen your defence, the right solution is critical. To learn more about what you need in a cybersecurity solution to protect against these types of sophisticated attacks—and why narrow tools like antivirus won't cut it—download our eBook, Choosing the Right Cybersecurity Solution.