‘Teen’ extortion-only group, LAPSUS$, exposes cyber gaps in the most mature organisations

The LAPSUS$ group, widely reported to consist of teenagers, exploded onto the cyber scene late last year and has become one of the most talked about and notorious online extortion groups after successfully breaching major companies like Microsoft, Samsung, Ubisoft and Okta.

A deep dive into the operations of the LAPSUS$ group by Claire Tills, Senior Research Engineer at Tenable reveals that the group’s tactics, while brazen, illogical and unsophisticated, were still successful in disrupting major international technology companies. This is a sobering reminder that no organisation is truly safe from cyberattacks, as large to small organisations are fair game.

Unlike ransomware operators, the LAPSUS$ group represents a growing breed of extortion-only cybercriminals, focusing exclusively on data theft and extortion by gaining access to victims through tried-and-true methods like phishing, and stealing the most sensitive data it can find without deploying data-encrypting malware. The group jumped into the limelight when it launched an attack against Nvidia in late February. With this breach, LAPSUS$ made its debut onto the global stage and started a brief tear through major technology companies.

Unlike other threat groups, LAPSUS$ solely operates through a private Telegram group and doesn’t manage a dark web leak site. It’s through Telegram that the group announces victims, often soliciting input from the broader community on which organisation’s data to release next. Compared with the polished, standardised sites of ransomware groups (like AvosLocker, LockBit 2.0, Conti etc.), these practices come off as disorganised and immature.

With a string of high-profile targets lying in its wake, the LAPSUS$ group gained notoriety for its unconventional tactics and erratic methods. Early attacks featured distributed denial of service (DDoS) and website vandalism. But, as early as January 21, the LAPSUS$ group was already engaged in the multi-stage breach that eventually led to the incident at Okta. Throughout that maturation process, the LAPSUS$ group heavily leaned on classic tactics like purchasing credential dumps, social engineering help desks and spamming multifactor authentication (MFA) prompts to achieve initial access to target organisations.

“Just like ransomware, extortion attacks aren’t going anywhere until they are made too complicated or costly to conduct”, said Claire Tills, Senior Research Engineer, Tenable. “Organisations should evaluate what defenses they have in place against the tactics used, how they can be hardened and whether their response playbooks effectively account for these incidents. While it may feel easy to downplay the threat groups like LAPSUS$, their disruption of major international technology companies reminds us that even unsophisticated tactics can have a serious impact”.