Who are the Lapsus$ hackers and what do they want?

A hacking gang has claimed Microsoft and Okta among recent victims - but who are they? Here's what we know so far.
Written by Danny Palmer, Senior Writer

A prolific hacking gang has been making a name for itself with a string of cyberattacks against a range of high-profile targets. In the space of just a few days, a group known as Lapsus$ revealed that it has stolen data from big-name organisations including Microsoft and Okta.  

The aim of the Lapsus$ campaign appears to be soliciting ransom payments, with threats to leak stolen information if its extortion demands aren't met. While this tactic is a familiar one, often used by ransomware gangs as extra leverage to force victims to pay a ransom for a decryption key, in the case of Lapsus$, there's no sign that ransomware is part of the attacks because no data is encrypted. 

But that doesn't mean that the attacks aren't damaging: Microsoft Security notes that there's evidence of a destructive element to the attacks for victims that won't give in to extortion demands. 

SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydays

Enterprise identity and access management provider Okta is one of the biggest victims of Lapsus$, in an incident in which the company says attackers might have accessed information of around 2.5% of Okta customers – a figure that the company says represents 366 organisations. 

Okta disclosed the breach on March 22, and the company said it "contained" an attempted security breach in January. However, Lapsus$ has since claimed that is was able to access a support engineer's laptop and have posted screenshots claiming access to systems. In a blog post, Okta says the laptop belonged to a support engineer working for a third-party provider and that Okta itself hasn't been compromised. However, the company says it has contacted those affected.

Microsoft has also confirmed that it was compromised by Lapsus$. While the company says the attackers gained limited access, the hackers have posted a torrent file claiming to hold source code from Bing, Bing Maps, and Cortana. 

While claiming Okta and Microsoft as victims has drawn eyes to Lapsus$, the group isn't brand new, having been active since at least December 2021 and claiming a number of victims in recent months.

One of the first victims of the group was the Brazilian Ministry of Health, which saw over 50TB worth of data stolen and deleted from its systems. Among this haul was data relating to the COVID-19 pandemic, including cases, deaths, vaccinations, and more. It took a month before systems were up and running again

Other victims of Lapsus$ attacks in recent months include a number of technology and gaming companies. In February, Nvidia fell victim to a cybersecurity incident that was attributed to Lapsus$. The group claims to have stolen over 1TB of data from the microchip manufacturer, including employee passwords. 

Another high-profile victim of Lapsus$ is Samsung, which confirmed that data had been breached in an attack, including source code relating to Samsung Galaxy smartphones. Samsung says no personal information was stolen in the attack.

Lapsus$ also claims to have compromised video game developer Ubisoft. The company said it fell victim to a "cybersecurity incident" that forced password refreshes across the organisation. 

SEE: Cybersecurity: Let's get tactical (ZDNet special report)   

Not much is known about Lapsus$ itself, other than that it's a cyber-criminal gang – believed to operate out of South America – that hacks into the networks of large organisations to steal data and extort payments. 

Unlike ransomware gangs, which use dark web websites to publish stolen data, Lapsus$ uses a Telegram channel to share information about its attacks – and information stolen from its victims – directly with anyone who is subscribed to it. 

When it comes to conducting attacks, Lapsus$ appears to be the same as many other cyber-criminal operations, exploiting public-facing remote desktop protocol (RDP) capabilities and deploying phishing emails to gain access to accounts and networks. The group also buys stolen credentials from underground forums and searches public dumps of usernames and passwords for credentials that can be exploited to gain access to accounts. 

Lapsus$ also uses its public-facing Telegram channel to post messages, encouraging potential malicious insiders to come forward offering virtual private network (VPN), virtual desktop infrastructure (VDI), or Citrix credentials in exchange for an unspecified payment in an undisclosed currency. 

It's unlikely the attacks will suddenly stop – the group might even be emboldened after claiming several high-profile victims – but there are steps businesses can take to help avoid falling victim to cyberattacks by Lapsus$ or other criminal hacking groups. 

This includes securing remote-working technologies like VPN and RDP with strong, difficult-to-guess passwords and bolstering that defence with multi-factor authentication. In addition, any users who think their account has been compromised should change their password immediately. Businesses should also train staff to identify and report phishing emails. 


Editorial standards