A digital extortion gang with a murky background and unconventional methods \u2014 one researcher called them \u201claughably bad\u201d at times \u2014 has claimed responsibility for a string of compromises against some of the world\u2019s largest technology companies.<\/p>\n
The group, known as Lapsus$, said in a series of public posts on the messaging app Telegram this week that it had accessed Okta Inc., the San Francisco-based identity-management firm that provides authentication tools for an array of business clients. Okta said Tuesday that attackers may have viewed data from about 2.5% of its customers after breaching the laptop of an engineer at a third-party vendor.<\/p>\n
Lapsus$ previously claimed to breach organizations including Nvidia Corp., Samsung Electronics Co., and the gaming company Ubisoft Entertainment. The group said it also accessed data from Microsoft Corp., saying it had gathered source code from the company\u2019s Bing search engine, Bing Maps, and the Cortana digital assistant. Microsoft said attackers gained \u201climited access\u201d to its systems, and that attackers had compromised a single account to gather data.<\/p>\n
In recent years, most hacking groups have used malware to encrypt a victim’s files, then demanded payment to unlock them, so-called ransomware. Sometimes the groups steal sensitive data and threaten to make it public unless they are paid.<\/p>\n
Lapsus$ functions as a “large-scale social engineering and extortion campaign,” though it does not deploy ransomware, Microsoft said. The group uses phone-based tactics to target personal email accounts at victim organizations and pays individual employees or business partners of an organization for illicit access, according to Microsoft.<\/p>\n
Lapsus$ also is known for hijacking individual accounts at cryptocurrency exchanges to drain user holdings.<\/p>\n
In a March 10 post on its Telegram channel, the group urged followers to provide access to a virtual private network inside their employers\u2019 systems, or share details on how to access remote work tools. In addition, they sought access to telecommunication companies, software and gaming corporations, and Latin American phone service providers.<\/p>\n
Joshua Shilko, a senior principal analyst at the cybersecurity firm Mandiant Inc., said Lapsus$ may have been active as early as mid-2021 when group members were posting in underground forums. “They’re into the notoriety. They’re interested in being in the spotlight,” he said, adding that the evidence shows they are financially motivated.<\/p>\n
In a Twitter post responding to the Lapsus$ allegation, Okta chief executive officer Todd McKinnon said the matter dated back to a January security incident.<\/p>\n
Okta chief security officer David Bradbury on Tuesday revealed a five-day window in January when an attacker gained access to a laptop for a support engineer who worked for a third-party vendor. Bradbury also said the company had detected an unsuccessful hacking attempt in January. Okta shares fell 10.4% Wednesday, closing at $148.55 on Nasdaq.<\/p>\n
The group\u2019s Telegram channel posted a series of screenshots that it claimed were evidence of the hack and said that Okta wasn\u2019t the ultimate target. \u201cBEFORE PEOPLE START ASKING: WE DID NOT ACCESS\/STEAL ANY DATABASES FROM OKTA \u2014 our focus was ONLY on okta customers. ????.\u201d<\/p>\n
Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, called the group’s tactics “quite bizarre.” Their actions, he said, “suggest that they may be kids who’re in it for the lulz as much as they are the bucks.” (“Lulz” is a variation of LOL, for laugh out loud).<\/p>\n
Initial activity from the group suggested that at least some of its members were in Brazil, as that was the home nation of many of the companies first targeted, said Allan Liska, intelligence analyst at the threat-intelligence firm Recorded Future. Membership in hacking collectives is fluid, Liska said. Recorded Future hasn’t observed any activity from apparent Lapsus$ members on popular Russian-speaking forums, he said.<\/p>\n
\u201cThey seem laughably bad at times, but then here they are publishing Microsoft source code,\u201d he said. \u201cThis may be that same mix of really talented members and some idiots. Even idiots stumble into success once in a while.\u201d<\/p>\n<\/div>\n