Introduction
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors. BBC LAPSUS Apr 2022 MSTIC DEV-0537 Mar 2022 UNIT 42 LAPSUS Mar 2022
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
- Uber (September 2022; Lapsus$ (suspected))
- Okta (April 2022; Lapsus$)
- Microsoft (March 2022; Lapsus$)
Tactics, Techniques, and Procedures (TTPs)
- T1589 Gather Victim Identity Information
- T1005 Data from Local System
- T1069.002 Domain Groups
- T1213.001 Confluence
- T1588.002 Tool
- T1485 Data Destruction
- T1213.003 Code Repositories
- T1213.002 Sharepoint
- T1583.003 Virtual Private Server
- T1591.004 Identify Roles
- T1090 Proxy
- T1087.002 Domain Account
- T1133 External Remote Services
- T1078 Valid Accounts
- T1588.001 Malware
- T1598.004 Spearphishing Voice
- T1204 User Execution
- T1552.008 Chat Messages
- T1489 Service Stop
- T1593.003 Code Repositories
- T1136.003 Cloud Account
- T1114.003 Email Forwarding Rule
- T1591.002 Business Relationships
- T1578.003 Delete Cloud Instance
- T1555.003 Credentials from Web Browsers
- T1531 Account Access Removal
- T1589.001 Credentials
- T1068 Exploitation for Privilege Escalation
- T1621 Multi-Factor Authentication Request Generation
- T1098.003 Additional Cloud Roles
- T1003.006 DCSync
- T1586.002 Email Accounts
- T1213.005 Messaging Applications
- T1589.002 Email Addresses
- T1584.002 DNS Server
- T1684.001 Impersonation
- T1003.003 NTDS
- T1555.005 Password Managers
- T1199 Trusted Relationship
- T1597.002 Purchase Technical Data
- T1578.002 Create Cloud Instance
- T1078.004 Cloud Accounts
- T1111 Multi-Factor Authentication Interception
- T1451 SIM Card Swap
ATT&CK technique IDs (denormalized)
- T1003.003
- T1003.006
- T1005
- T1068
- T1069.002
- T1078
- T1078.004
- T1087.002
- T1090
- T1098.003
- T1111
- T1114.003
- T1133
- T1136.003
- T1199
- T1204
- T1213.001
- T1213.002
- T1213.003
- T1213.005
- T1451
- T1485
- T1489
- T1531
- T1552.008
- T1555.003
- T1555.005
- T1578.002
- T1578.003
- T1583.003
- T1584.002
- T1586.002
- T1588.001
- T1588.002
- T1589
- T1589.001
- T1589.002
- T1591.002
- T1591.004
- T1593.003
- T1597.002
- T1598.004
- T1621
- T1684.001
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- CyberGate:
- Cyber Eye RAT:
MITRE ATT&CK Software
Ransomware Tool Matrix observations
| Category | Observed tools |
|---|---|
| Credential Theft | Mimikatz |
| Discovery | ADExplorer |
| LOLBAS | NTDS Utility (ntdsutil) |
| RMM Tools | AnyDesk |
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [4] BBC LAPSUS Apr 2022 BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022. [5] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [6] MSTIC DEV-0537 Mar 2022 MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. [7] UNIT 42 LAPSUS Mar 2022 UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.