The Lapsus$ hacker group has targeted Microsoft and Okta in recent breaches confirmed by both technology organizations.
On 22 March 2022 Okta, an identity and access management company, confirmed that back in January it had “detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider”.
The statement came as Lapsus$, a South American hacking group, posted a message on 22 March, 2022, at 03:30 UTC on their official Telegram group claiming they had breached the company. According to the group the attack targeted Okta’s customers.
Okta confirming the detials
On 23 March Okta disclosed that the company’s security team had been alearted that a new factor was added to a Sitel customer support engineer’s Okta account.
Sitel is an Okta sub-processor that provides Okta with contract workers for our Customer Support organization.
The alert occured on 20 January and the completed investigation report from Sitel was delivered on 22 March.
“I am greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report. Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications,” said David Bradbury, CSO at Okta, in a statement.
Okta also confirmed that the maximum potential impact is 366 (approximately 2.5 per cent of) customers whose Okta tenant was accessed by Sitel.
The orgnaization’s security processes did minimise the scope of the incident and Okta said “the limited access granted to the support engineer who was compromised means that the information and actions were constrained”.
Okta said the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised and they were able to obtain screenshots and control the machine through the remote desktop protocol (RDP) session.
Also on 22 March, Microsoft confirmed that it had been compromised by Lapsus$ which it tracks as DEV-0537.
Earlier that week, Lapsus$ made public claims that it had gained access to Microsoft and exfiltrated portions of source code.
A single account had been compromised, granting limited access Microsoft confirmed. The company said it was already investigating the account based on threat intelligence when the hacking group publicly disclosed the intrusion.
“This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact,” the Microsoft statement said.
The technology giant added, “no customer code or data was involved in the observed activities”.
Who are Lapsus$
The Lapsus$ hacking group is based in Brazil, South America and, according to Microsoft is known for using a pure extortion and destruction model without deploying ransomware payloads.
Tracked as DEV-0537 by Microsoft, the group started targeting organizations in the UK and South America but expanded to global targets, including organizations in government, technology, telecom, media, retail and healthcare sectors.
A blog by Check Point, a cyber security provider, noted that Lapsus$ commenced its activity in December 2021 and since early 2022 has been involved in the data breaches of several major technology companies across the world, such as NVIDIA, Samsung and Ubisoft.
It was also noted that, according to Check Point, the group’s modus operandi so far “has been very different from that of a ‘regular ransomware group’, as they do not encrypt the systems of their victims”.
Microsoft said that Lapsus$ uses a variety of methods for initial access that are typically focused on compromising user identities. Using the compromised credentials and/or session tokens, they then access internet-facing systems and applications.
In its analysis Microsoft provides a full overview of the tactics, techniques and procedures (TTP) the group has used across multiple attacks and compromises.