The Lapsus$ Group: Who They Are and How to Protect Your Business

Staying one step ahead of cybercriminals takes extensive effort, especially when the targets seem to be constantly moving. There are new and persistent threats coming onto the scene all the time, some more alarming and chaotic than others. Recent hacks by a newer group called Lapsus$ are making waves in the infosec and business communities. Unlike some hacker gangs, the members of Lapsus$ “do not spread ransomware, instead threatening to leak stolen information in apparent extortion attempts.” The result: chaos and confusion for companies scrambling to meet their demands.

Staying one step ahead of cybercriminals takes extensive effort, especially when the targets seem to be constantly moving.

Here, we take a look at who Lapsus$ is, why you should care, and how to protect your own business from similar attacks.

The Lapsus$ Group: Who They Are & Why You Should Care

If this is the first you’ve heard about the digital extortion group Lapsus$, let us catch you up. Since December 2021, the ransomware gang, led by a 16-year-old from Oxford, has been wreaking havoc for some of the biggest brands on the planet, including Microsoft, Nvidia, and Samsung. Lapsus$ hacked Nvidia in mid-February, claiming to have stolen about one terabyte of data, including the credentials of over 71,000 Nvidia employees. 

Another hack occurred in mid-January 2022 against identity and access management giant Okta. Lapsus$’s breach of Okta was particularly distressing, considering the company “holds the keys to the kingdom for thousands of major organizations” worldwide. More than 15,000 companies like FedEx, Peloton, JetBlue, GrubHub, and Fidelity rely on Okta to manage their applications and networks.

Since December 2021, Lapsus$ has been wreaking havoc for some of the biggest brands on the planet.

The Okta breach originated with a customer support engineer working for a third-party contractor, the subprocessor Sykes Enterprises, owned by the business services outsourcing company Sitel Group. 

As reported by Wired, “the Lapsus$ group was able to use extremely well known and widely available hacking tools, like the password-grabbing tool Mimikatz, to rampage through Sitel's systems. At the outset, the attackers were also able to gain enough system privileges to disable security scanning tools that might have flagged the intrusion sooner.”

The January 16 data breach lasted for five days. Thankfully, in the end, it only impacted two customers — but it certainly could have been much worse. 

It’s also worth noting that the response of Okta and Sitel/Sykes to being informed of the hack was less than ideal. According to Wired, Okta received Sitel’s initial breach notification on January 25, and after an in-depth investigation by cybersecurity firm Mandiant, Sitel followed up with a detailed “intrusion timeline” on March 17. (You can see a timeline of events as shared by Okta here on their blog.) As reported by Wired, it appears that neither Okta nor Sitel took any significant action regarding the breach. Okta even went so far as to announce in a statement on their blog that “the Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers.” 

That is, until they were “caught flat-footed” on March 22 when Lapsus$ went public with the hack, publishing screenshots of the Okta breach on the group’s Telegram channel. Although Okta reported that the threat actor "was unable to successfully perform any configuration changes, MFA or password resets, or customer support 'impersonation' events" and "unable to authenticate directly to any Okta accounts," investors weren’t happy with the news. Okta’s shares plummeted by 21% within the week.

Okta's shares plummeted by 21% within the week.

According to a recent article in Forbes, “the Okta and Sykes breaches should act as a clarion call to businesses to make sure they’re checking who has access to what on their network.”

How to Protect Your Business

So how did Lapsus$ hack Okta, and how can you prevent the same from happening to your business?

First, here’s how it happened, according to Okta CSO David Bradbury:

“Our investigation determined that the screenshots, which were not contained in the Sitel summary report, were taken from a Sitel support engineer’s computer upon which an attacker had obtained remote access using RDP [Microsoft’s Remote Desktop Protocol]. This device was owned and managed by Sitel. The scenario here is analogous to walking away from your computer at a coffee shop, whereby a stranger has (virtually in this case) sat down at your machine and is using the mouse and keyboard. So while the attacker never gained access to the Okta service via account takeover, a machine that was logged into Okta was compromised, and they were able to obtain screenshots and control the machine through the RDP session.” asserts that “although both VPN and RDP are encrypted through internet connection, a VPN connection is less accessible to threats than a remote desktop connection. For this reason, VPN is often considered more secure than RDP.” Either way, you certainly don’t want to be operating RDP without some kind of security solution protecting your network.

There are several key takeaways here: 

  1. Third-party risk management is essential. There are inherent risks in working with contracted third parties. If there are ever concerns over security and the possible compromise of your systems or networks, you can and should push to have them investigated thoroughly and quickly so that your business can act immediately to repair the damage.
  2. RDPs can be susceptible to ransomware attacks, just like the ones affecting Sitel and Okta. The best way to protect yourself, especially if your company uses RDPs, is to consider a solution like CloudConnexa. It secures data through encryption and guarantees that no unauthorized parties can intercept your company’s data while in transit.
  3. It is critical to educate your network users on hackers’ tactics and ramp up your prevention protocols. This recent piece from The Verge makes that clear: according to Mark Ostrowski, head of engineering at Check Point Software, “This group’s ‘all in’ approach to target its victims with ransomware, SIM swapping, exploits, dark web reconnaissance, and reliable phishing tactics shows the focus and open toolbox used to accomplish its goals. Companies and organizations across the globe should focus on education of these tactics to their users, deploy prevention strategies in all aspects of their cyber security programs, and inventory all points of access looking for potential weaknesses.”

To Recap

Sophisticated hacker gangs like Lapsus$ will always be a risk for businesses large and small. Preventive risk management is key, as is prompt action in the case of a breach. 

Sophisticated hacker gangs like Lapsus$ will always be a risk for businesses large and small.

Business users need to take a multi-pronged approach to ensure optimum network security. CloudConnexa provides an added layer of security over your network access, helping to prevent hackers and other bad actors from making your business their next victim of data theft, extortion, and leaks.

Get Started Today

Ready to get started with CloudConnexa? Sign up today with three connections, absolutely free.

Share this story: