Lapsus$

Description

(Flashpoint) LAPSUS$isanextortionistthreatgroupthatbecameactiveonDecember10,2921.Unlikethemajorityofextortionistgroupsthattypicallyrelyonacombinationofransomwareanddataleaks,LAPSUS$ is focused on monetizing their operations exclusively through data leaks advertised on Telegram without the use of ransomware.

Initially, the group focused on data breaches against Latin American and Portuguese targets but in late February 2022, LAPSUS$beganwideningthescopeofitstargetingbyannouncingithadsuccessfullybreachedUS-basedgraphicsandcomputingchipmanufacturerNvidia.Sincethen,LAPSUS$ has continued to focus on large-scale international technology companies, including Microsoft, Okta, and Samsung, as the financial incentive for stealing source code and extorting companies for sensitive proprietary technical data is high.

Names

Name	Name-Giver
Lapsus$	self given
DEV-0537	Microsoft
Strawberry Tempest	Microsoft
Slippy Spider	CrowdStrike

Country

• Brazil

Motivation

• Financial gain

First Seen

2021

Observed Countries

• Argentina
• Brazil
• Portugal
• USA

Operations

• 2021-12: Brazil health ministry website hit by hackers, vaccination data targeted https://www.reuters.com/technology/brazils-health-ministry-website-hit-by-hacker-attack-systems-down-2021-12-10/
• 2021-12: The Lapsus$ ransomware gang has hacked and is currently extorting Impresa, the largest media conglomerate in Portugal and the owner of SIC and Expresso, the country’s largest TV channel and weekly newspaper, respectively. https://therecord.media/lapsus-ransomware-gang-hits-sic-portugals-largest-tv-channel/
• 2022-01: Lapsus$ Attacks Localiza, Redirects Users to Porn Site https://www.databreachtoday.com/lapsus-attacks-localiza-redirects-users-to-porn-site-a-18286
• 2022-01: Okta confirms 2.5% customers impacted by hack in January https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/ https://thehackernews.com/2022/03/new-report-on-okta-hack-reveals-entire.html
• 2022-02: In the wake of the attack last month on the Impresa group, the latest victims – Correio da Manhã (the country’s most widely-read tabloid), Sábado, Jornal de Negócios and CMTV – belong to the Cofina media group. https://www.portugalresident.com/hackers-bring-down-new-media-sites-pj-cybercrime-unit-investigating/
• 2022-02: Cyberattack brings down Vodafone Portugal mobile, voice, and TV services https://therecord.media/cyberattack-brings-down-vodafone-portugal-mobile-voice-and-tv-services/ https://www.securityweek.com/vodafone-investigating-source-code-theft-claims
• 2022-02: GPU giant NVIDIA is investigating a potential cyberattack https://www.bleepingcomputer.com/news/security/gpu-giant-nvidia-is-investigating-a-potential-cyberattack/ https://www.databreaches.net/lapsus-and-the-terrible-horrible-no-good-very-bad-ransom-day1/
• 2022-03: Hackers leak 190GB of alleged Samsung data, source code https://www.bleepingcomputer.com/news/security/hackers-leak-190gb-of-alleged-samsung-data-source-code/
• 2022-03: E-commerce giant Mercado Libre confirms source code data breach https://www.bleepingcomputer.com/news/security/e-commerce-giant-mercado-libre-confirms-source-code-data-breach/
• 2022-03: Lapsus$ Ransomware Group is hiring, it announced recruitment of insiders https://securityaffairs.co/wordpress/128912/cyber-crime/lapsus-ransomware-is-hiring.html
• 2022-03: Ubisoft confirms ‘cyber security incident’, resets staff passwords https://www.bleepingcomputer.com/news/security/ubisoft-confirms-cyber-security-incident-resets-staff-passwords/
• 2022-03: Lapsus$ hackers leak 37GB of Microsoft’s alleged source code https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/
• 2022-03: Globant confirms hack after Lapsus$ leaks 70GB of stolen data https://www.bleepingcomputer.com/news/security/globant-confirms-hack-after-lapsus-leaks-70gb-of-stolen-data/
• 2022-03: Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code https://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/
• 2022-09: Uber attributes hack to Lapsus$, working with FBI and DOJ on investigation https://therecord.media/uber-attributes-hack-to-lapsus-working-with-fbi-and-doj-on-investigation/
• 2022-09: 2K Games says hacked help desk targeted players with malware https://www.bleepingcomputer.com/news/security/2k-games-says-hacked-help-desk-targeted-players-with-malware/
• 2022-09: Rockstar confirms cyberattack, leak of confidential data including GTA 6 footage https://therecord.media/rockstar-confirms-cyberattack-leak-of-confidential-data-including-gta-6-footage/

Counter Operations

• 2022-03: Lapsus$ suspects arrested for Microsoft, Nvidia, Okta hacks https://www.bleepingcomputer.com/news/security/lapsus-suspects-arrested-for-microsoft-nvidia-okta-hacks/
• 2022-04: Two teenagers charged in connection with investigation into hacking group https://www.cityoflondon.police.uk/news/city-of-london/news/2022/march/two-teenagers-charged-in-connection-with-investigation-into-hacking-group/
• 2022-08: Brazilian police launch investigation targeting Lapsus$ group https://therecord.media/brazilian-police-launch-investigation-targeting-lapsus-group/
• 2022-09: UK Police arrests teen believed to be behind Uber, Rockstar hacks https://www.bleepingcomputer.com/news/security/uk-police-arrests-teen-believed-to-be-behind-uber-rockstar-hacks/
• 2022-10: Brazil arrests suspect believed to be a Lapsus$ gang member https://www.bleepingcomputer.com/news/security/brazil-arrests-suspect-believed-to-be-a-lapsus-gang-member/
• 2023-07: British prosecutors say teen Lapsus$ member was behind hacks on Uber, Rockstar https://therecord.media/british-prosecutors-accuse-teen-lapsus-member-of-uber-revolut-rockstar-hacks
• 2023-08: Lapsus$ teen hackers convicted of high-profile cyberattacks https://www.bleepingcomputer.com/news/security/lapsus-teen-hackers-convicted-of-high-profile-cyberattacks/
• 2023-12: Lapsus$ hacker behind GTA 6 leak gets indefinite hospital sentence https://www.bleepingcomputer.com/news/security/lapsus-hacker-behind-gta-6-leak-gets-indefinite-hospital-sentence/

Information

• https://www.flashpoint-intel.com/blog/lapsus/
• https://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor
• https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/
• https://unit42.paloaltonetworks.com/lapsus-group/
• https://www.cybereason.com/blog/lapsus-activity-betrays-nation-state-motivation
• https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/
• https://thehackernews.com/2022/05/everything-we-learned-from-lapsus.html
• https://www.tenable.com/blog/brazen-unsophisticated-and-illogical-understanding-the-lapsus-extortion-group
• https://www.bleepingcomputer.com/news/security/dhs-cyber-safety-board-to-review-lapsus-gang-s-hacking-tactics/
• https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf

Mitre Attack

• https://attack.mitre.org/groups/G1004/

Other Information

Uuid

ffca877d-5411-419c-ba3b-31924cc4e4af

Last Card Change

2025-06-28