Resources
[Report] Footsteps of the LAPSUS$ hacking group
Date 2022. 03. 23
Executive Summary
- The LAPSUS$ hacking group is estimated to have started at least May 15, 2021 in the Deep Web Forum.
- These are not RaaS ransomware operators organizations that have recently become an issue, but have been identified as attack groups specializing in data theft.
- In the past, posts about affected companies were uploaded to deep/dark web forums such as RaidForums and Exploit.in, attempting to intimidate them, but since December 10, 2021, they have created their own Telegram channel to promote and engage in activities.
- Telegram has recently attracted worldwide attention by uploading data on LG, Microsoft and Okta as well as key data on NVIDIA and Samsung, starting with the first data leak to Brazil's health ministry.
- When they approach large corporations, VPN and MFA are the main areas they work on, primarily to attempt various strategies such as mobile-based social engineering attacks, seam swapping, helpdesk contact, access to employee mail accounts, and purchase credentials from internal staff or stakeholders.
- Estimated to consist of at least five members, the group's main purpose is money, and occasionally hacking unrelated companies for their own fun has also been identified.
- Although the exact details have not been released yet, it is estimated that some of them are talented, and some of them are not excellent considering that NVIDIA has mistakenly attacked them in retaliation.
- Although they have only been active about 4 months, they are likely to be more active because they are currently receiving very much attention, and they seem to need to prepare for this and continue tracking attack groups.
