This Threat Intelligence Report on LAPSUS$ was created in tandem between ChatGPT4 (Incebreaker Intel Analyst Agent) and Scot Terban
The LAPSUS$ threat actor group, first emerging in late 2021, is known for its high-profile breaches and data extortion activities, targeting several notable organizations. Here’s a comprehensive dossier on LAPSUS$:
The LAPSUS$ group, emerging prominently in late 2021, rapidly gained infamy in the cyber world for its series of audacious breaches and data extortion schemes. Here’s an expanded dossier on LAPSUS$ with more detail on their activities, timeline, and recent legal developments:
Initial Emergence and High-Profile Breaches:
Late 2021: LAPSUS$ first came into the limelight with their attack on Electronic Arts, claiming to have obtained 780 GB of data, including FIFA 2021 source code.
March 2022: The group escalated its operations, publicly targeting and compromising major companies like NVIDIA, Microsoft, and Okta. Their attacks were not limited to the tech industry; they also breached LG Electronics, Samsung, Huawei, and Alcatel.
The recruitment and expansion strategies of LAPSUS$ played a critical role in their rapid rise and the effectiveness of their cyber operations. By November 2021, their methods had evolved to actively include the recruitment of insiders from major companies, leveraging social media platforms as their primary channels for outreach. Here’s an expanded view of this aspect:
Recruitment Strategy:
Social Media Utilization: LAPSUS$ used multiple social media platforms to connect with potential recruits. This approach allowed them to cast a wide net and target individuals in various organizations.
Financial Incentives: They offered substantial financial rewards, reportedly up to $20,000 per week, to entice employees into collaborating with them. These offers were aimed at employees of major corporations, indicating a clear strategy to infiltrate high-value targets.
Target Companies:
Telecommunications Sector: Among the specific targets were employees at leading telecommunications companies such as AT&T, T-Mobile, and Verizon. The choice of these companies demonstrates LAPSUS$’s interest in accessing networks with extensive reach and valuable data.
Recruitment Ads:
Language and Reach: The recruitment advertisements were often written in both English and Portuguese, suggesting a focus on a broad, international pool of potential collaborators. This bilingual approach indicates an understanding of the global nature of the cybersecurity landscape.
Online Forums and Channels: LAPSUS$ used online forums and channels like Telegram to post these recruitment messages. These platforms provided anonymity and a direct line to potential recruits in the cybercriminal community.
Expansion Implications:
Challenges and Risks:
As of the latest information, there has been a notable decline in LAPSUS$’s activities following the legal actions and arrests. However, the impact of their operations on cybersecurity practices and the ongoing circulation of the tactics they popularized remain significant.
Law Enforcement Interaction and Downturn:
The City of London Police arrested seven teenagers in March 2022 in relation to LAPSUS$. Following these arrests, the group’s overt and public activities decreased. However, there was a brief resurgence in September 2022 when Uber reported a cybersecurity incident attributed to LAPSUS$. In October 2022, Brazilian police arrested an individual suspected of being associated with LAPSUS$. Since then, there has been a notable decline in the group’s activities
Oklaqq/WhiteDoxbin: Identified as a core and possibly the leader of LAPSUS$. This individual used multiple nicknames across various platforms, including Telegram channels. He has been associated with the nicknames “Oklaqq” and “WhiteDoxbin” and is known for posting recruitment messages on Reddit.
Oklaqq, also known as WhiteDoxbin, has been active in recruiting insiders for the group via social media platforms since at least November 2021. He offered employees at major mobile providers up to $20,000 a week for performing “inside jobs.” Prior to LAPSUS$, WhiteDoxbin was a founding member of the cybercriminal group “Recursion Team,” known for SIM swapping and participating in “swatting” attacks. WhiteDoxbin was also involved in buying and selling zero-day vulnerabilities and had a significant amount of cryptocurrency (around 300BTC, close to $14 million)
Arion Kurtaj, identified as a key member of the LAPSUS$ cybercrime group, has been involved in several high-profile cyber attacks. A resident of Oxford, England, and now 18 years old, Kurtaj played a pivotal role in the operations of the LAPSUS$ group. His involvement included hacking into major tech corporations such as Uber, Nvidia, and Rockstar Games. One of his most notable actions was the leak of footage from the yet-to-be-released Grand Theft Auto 6 game
Kurtaj’s life took a challenging turn during his early teenage years when he left formal schooling following a physical attack on his mother, leading to a brief stay in social care. His time in social care was cut short due to an assault by a staff member, after which his mother resumed his care. However, monitoring his computer usage proved challenging for his mother. According to Claudia Camden-Smith, the doctor overseeing his adult care, hacking provided Kurtaj with a sense of “street cred,” and he sought to be perceived as “trendy and risky” like his peers, despite his vulnerabilities not being entirely represented by his diagnoses
Kurtaj was handed an indefinite hospital order due to his involvement with LAPSUS$ and his actions while in detention, which included violence and property damage. Medical professionals deemed him unfit to stand trial because of his severe autism, leading the jury to focus solely on whether he committed the alleged crimes, not his criminal intent. A mental health evaluation revealed his high motivation to resume cybercrime activities as soon as possible
During the same trial, another 17-year-old LAPSUS$ member was found guilty of collaborating with Kurtaj and others to breach tech giants such as Nvidia and telcos like BT/EE, before attempting to extort them for a $4 million ransom. This unnamed minor was sentenced in a Youth Rehabilitation Order for 18 months with a ban on using VPNs online
In 2022, Kurtaj was arrested twice in connection with LAPSUS$ hacking activity. Despite having his laptop confiscated, he circumvented his bail conditions using an Amazon Fire Stick to connect to cloud computing services, which enabled him to conduct the GTA 6 leak
LAPSUS$ is responsible for several high-profile cyberattacks, including those on Okta, Uber, fintech giant Revolut, and Microsoft’s internal Azure server. The group is known for stealing and holding onto victims’ proprietary data, threatening to publish it if their extortion demands are not met. They have claimed responsibility for breaches at companies like LG Electronics, Samsung, and Mercado Libre.
Another core member of the LAPSUS$ group is a teenager based in Brazil. Details about this individual emerged following the arrest by the Brazilian Federal Police in Feira de Santana, Bahia. This arrest, part of Operation Dark Cloud launched in August 2022, was a result of investigations that started in December 2021 following a breach of Brazil’s Ministry of Health. The attackers, believed to be associated with LAPSUS$, deleted files and defaced the Ministry’s website, claiming they had stolen data from the ministry’s network. This breach led to the temporary unavailability of COVID-19 vaccination information for millions of citizens.
The Brazilian Federal Police’s investigations targeted multiple cyberattacks on Brazilian government agencies. Besides the Ministry of Health, the group also targeted the Ministry of Economy, the Comptroller General of the Union, and the Federal Highway Police. The crimes identified in the investigation included criminal organization, invasion of a computer device, interruption or disturbance of telecommunication services, corruption of minors, and money laundering.
On March 24, 2022, the City of London Police arrested seven teenagers aged between 16 and 21 for their alleged connections to the LAPSUS$ extortion gang. This group was linked to a series of attacks targeting companies such as NVIDIA, Samsung, Ubisoft, LG, Microsoft, and Okta. The investigation, which involved multiple partners, led to these arrests, with all individuals being released under investigation while inquiries continued
Among those arrested was a teenager from Oxford, known under the alias “White” or “Breachbase.” He was suspected of being the mastermind behind LAPSUS$, responsible for accumulating about $14 million in Bitcoin from hacking activities. The police did not confirm if this individual was among those arrested. However, his identity was disclosed after rival hackers leaked his personal information online, including his home address and details about his parents
The LAPSUS$ group is notable for its brazen tactics and low-cost techniques, revealing weaknesses in cyber infrastructure. The group actively recruited insiders through social media platforms like Reddit and Telegram and was involved in a data breach at Electronic Arts. This unorthodox group, characterized by Microsoft as not covering its tracks, combined phone-based social engineering and insider access to target organizations
Arion Kurtaj, an 18-year-old from Oxford and a key member of LAPSUS$, was arrested twice in 2022 and was believed to be among the group’s leaders. Kurtaj, known as “White” and “Breachbase,” was involved in hacking multiple high-profile companies and demanding ransoms. Despite his autism, which made him unfit to stand trial, a jury was asked to determine his responsibility for the alleged hacking activities. It was believed that after his arrest, he breached the City of London Police cloud storage and targeted companies like Revolut, Uber, and Rockstar Games for ransom. While on bail, he leaked gameplay videos from the unreleased Grand Theft Auto 6 game. Kurtaj was convicted for his involvement in these activities.
This pseudonym was used by a member who might be a high-ranking individual within LAPSUS$. This member was also known as “wh1te” and “Breachbase” in the underground.
The alias “SigmA” has been associated with a high-ranking member of the LAPSUS$ cybercrime group, a 16-year-old teenager residing in Kidlington, England. This individual was also known by the pseudonyms “wh1te” and “Breachbase” and was actively involved in several notable cybercriminal activities:
Acquisition and Mismanagement of Doxbin: In November 2021, SigmA purchased the website Doxbin for $75,000. However, this acquisition led to a downfall, as SigmA was accused of running the site into the ground, breaking several of its functions, and ultimately reducing its reputation. This led to a feud with the former owner, “KT,” who eventually bought back the site at a much lower price
Retaliation and Personal Information Leak: Frustrated with KT regaining control of Doxbin, SigmA dumped the site’s entire user database, compromising around 3,000 accounts. This action backfired as it led to the leaking of SigmA’s own password, which contained elements of his real name. KT and allies then retaliated by hacking into several of SigmA’s accounts and releasing a comprehensive dox that revealed extensive personal information about SigmA and his family
Early Involvement in Cyber Activities: SigmA’s journey in the cyber world began with an obsession with Minecraft servers and evolved to engaging with communities involved in selling/trading zero-day exploits. Over time, SigmA accumulated substantial wealth, reportedly over 300BTC (approximately $14 million USD). Before joining LAPSUS$, SigmA co-founded a group called “Infinity Recursion,” which later became defunct
Legal Actions and Arrest: In March 2022, the City of London Police arrested seven teenagers in connection with the activities of LAPSUS$. SigmA was among those arrested. This arrest coincided with a brief hiatus announced on the LAPSUS$ Telegram channel. SigmA was reportedly re-arrested and charged with cyber offenses in early April, with bail conditions likely restricting his internet access
Potential Risks and Future Activity: Despite the legal challenges and restrictions, there remains a possibility that SigmA might return to cyber activities, considering his past decisions and underestimation of operational security risks
These details about SigmA provide insight into the complex and often tumultuous world of cybercrime, highlighting the significant capabilities and risks faced by young individuals deeply involved in such activities.
It’s important to note that due to the nature of cybercriminal activities and the anonymity often maintained by such groups, complete and verified information about all members of LAPSUS$ is not publicly available. Some of the details, such as real names or complete biographies, may not be disclosed due to legal reasons, especially when involving minors.
The LAPSUS$ cybercrime group’s journey marks a significant evolution from a singular, unified entity to a more complex, cell-based structure, reflecting a strategic shift in their operational tactics and organizational dynamics. This transformation holds profound implications for their operational activities, effectiveness, and the resultant challenges posed to law enforcement and cybersecurity professionals.
In its early stages, LAPSUS$ operated as a cohesive unit. The group’s approach was characterized by conducting high-profile breaches and data leaks, functioning as a single, unified entity. This mode of operation enabled them to effectively coordinate large-scale attacks and share resources, maximizing their impact and reach. Central to their operations was the use of both public and private Telegram channels, which served as vital communication, planning, and data dissemination hubs. This centralized communication system was instrumental in maintaining a streamlined mode of operation, which played a key role in their initial successes and notoriety.
However, as the group matured and faced increasing detection risks and security challenges, LAPSUS$ began transitioning towards a more decentralized, cell-based structure. This strategic shift enabled the emergence of smaller, independent groups, or ‘cells’, each operating under the broader umbrella of LAPSUS$. This decentralization meant that each cell functioned autonomously, focusing on specific targets or regions, and specializing in particular types of cyberattacks. This autonomy allowed them to adapt to vulnerabilities in specific industries or technologies, enhancing the group’s overall versatility and effectiveness.
The cell-based approach offered several advantages. Firstly, it provided increased agility, enabling the cells to quickly adapt to changing situations, deploy diverse tactics, and target a broader range of victims without the need for centralized approval or coordination. Secondly, the decentralized structure significantly bolstered operational security. It became more challenging for law enforcement agencies to track and dismantle the entire network, as the capture or disruption of one cell did not significantly impact the others. Finally, despite operating independently, these cells still had the capability to share tools, techniques, and information, thus enhancing the collective capabilities of LAPSUS$.
In essence, the evolution of LAPSUS$ into a cell-based structure reflects the group’s adaptability and resilience in the face of growing scrutiny and law enforcement efforts. This transformation underscores the need for dynamic and flexible approaches in cybersecurity to counter such decentralized and complex cyber threats.
The LAPSUS$ group’s evolution into a more sophisticated, cell-based structure necessitates a nuanced and multi-layered approach to cybersecurity. Organizations must recalibrate their defensive strategies to address the diverse tactics and targets employed by the different cells of LAPSUS$. Here’s a prose summary followed by a set of bullet points outlining key protection strategies:
As LAPSUS$ has transformed into a decentralized entity, characterized by autonomous cells with specific focus areas, it becomes imperative for organizations to adopt a comprehensive and dynamic cybersecurity strategy. This strategy should be agile enough to respond to the changing tactics of LAPSUS$ while being robust in safeguarding against a wide spectrum of cyber threats.
The decentralized nature of LAPSUS$ means that traditional cybersecurity measures might not be sufficient. Organizations need to think beyond standard protocols and implement a suite of advanced defensive measures. This involves not only bolstering their technological defenses but also cultivating a culture of cybersecurity awareness among employees. Given that LAPSUS$ employs a variety of attack vectors, from sophisticated malware to social engineering, an all-encompassing approach to security is crucial.
Enhanced Employee Training: Regular and comprehensive training sessions for employees to recognize and respond to social engineering attacks, phishing attempts, and other forms of cyber threats.
Robust Multi-Factor Authentication (MFA): Implementing strong MFA protocols to prevent unauthorized access, even when login credentials are compromised.
Advanced Threat Detection Systems: Deploying cutting-edge threat detection and response systems that can identify and mitigate sophisticated cyber attacks in real-time.
Regular Security Audits and Updates: Conducting periodic security audits to identify vulnerabilities and ensuring that all software and systems are up-to-date with the latest security patches.
Incident Response Planning: Developing a comprehensive incident response plan to quickly and effectively address any security breaches or data leaks.
Network Segmentation: Dividing the network into segments to contain breaches in one part and prevent them from spreading across the network.
Enhanced Monitoring of Suspicious Activities: Implementing stringent monitoring protocols to detect any unusual activities within the network that could indicate a breach.
Collaboration with Cybersecurity Experts: Engaging with cybersecurity experts and threat intelligence services for insights into the latest threats and defense mechanisms.
By implementing these strategies, organizations can significantly enhance their defenses against the complex and evolving threats posed by groups like LAPSUS$. This proactive and comprehensive approach to cybersecurity is key in the current landscape where cyber threats are becoming increasingly sophisticated and varied.
Regarding the specific malware hashes used by Scattered Spider (formerly known as LAPSUS$), the detailed hashes or indicators were not explicitly provided in the sources I accessed. The available information mainly discusses the types of malware used by the group, such as AveMaria (WarZone), Raccoon Stealer, and VIDAR Stealer, and their general applications like enabling remote access, stealing login credentials, browser history, cookies, and other data
For threat hunting and identifying activities related to LAPSUS$ aka Scattered Spider, organizations should focus on recognizing patterns consistent with the group’s known tactics, techniques, and procedures (TTPs), such as the use of living off the land techniques, leveraging allowlisted applications, modifying TTPs frequently, and specific malware types mentioned. However, without the specific malware hashes or unique indicators, this effort relies heavily on behavioral detection and analysis, rather than signature-based detection.
LAPSUS$ aka Scattered Spider is a sophisticated cybercriminal group known for targeting large companies and their contracted IT help desks. The group is notorious for its versatile tactics, techniques, and procedures (TTPs), which include a range of sophisticated cyber operations.
Data Theft and Ransomware: Scattered Spider has been actively involved in data theft for extortion purposes. They are also known for employing BlackCat/ALPHV ransomware in their attacks, indicating their capability in both data exfiltration and ransomware deployment.
Remote Monitoring and Management Tools: The group uses tools such as Fleetdeck.io and Level.io, which enable remote monitoring and management of systems. These tools allow them to gain extensive control and visibility within the victim’s network
Credential Phishing and Social Engineering: Scattered Spider adeptly uses credential phishing combined with social engineering. They target one-time-password (OTP) codes and exploit multifactor authentication (MFA) systems through notification fatigue tactics, thereby bypassing security measures that rely on OTPs or MFA
Sophisticated Infiltration Techniques: Their operations include social engineering of help-desk employees, identity as-a-service (IDaaS) cross-tenant impersonation, and file enumeration. These techniques illustrate their ability to manipulate human elements and infiltrate complex network systems
Encryption and Stealth Communication: The FBI observed that LAPSUS$ aka Scattered Spider encrypts exfiltrated files and communicates with targets using various secure methods, such as TOR, tox, email, or encrypted applications. This approach highlights their focus on maintaining operational security and avoiding detection
The varied and sophisticated TTPs of LAPSUS$ aka Scattered Spider demonstrate their capability to conduct complex and multi-faceted cyberattacks. Their use of a mix of technical tools and social engineering tactics, combined with stealth communication methods, makes them a formidable threat in the cyber threat landscape.
Social Engineering Prowess:
A critical aspect of their approach is effective social engineering, including vishing, smishing, and spearphishing to gather credentials and sensitive information. They’ve been known to contact victim organizations’ help desks to reset accounts or gather information, and even impersonate help desks to urge employees to accept MFA requests
Use of RedLine Infostealer:
RedLine, a malware first observed in 2020, has been a tool in LAPSUS$ aka Scattered Spider’s arsenal. Distributed mainly through social engineering, RedLine can steal a wide range of data, including credentials, session cookies, credit card data, and cryptocurrency information. The malware’s accessibility and low technical barrier for use highlight LAPSUS$’s operational style
LAPSUS$ aka Scattered Spider, a known cybercriminal group, employs various malware in their operations. Here are some known malware hashes associated with Scattered Spider:
1e5ad5c2ffffac9d3ab7d179566a7844
56fd7145224989b92494a32e8fc6f6b6
6639433341fd787762826b2f5a9cb202
828699b4133acb69d34216dcd0a8376e
f5271a6d909091527ed9f30eafa0ded6
0272b018518fef86767b01a73213716708acbb80
10b9da621a7f38a02fea26256db60364d600df85
9ec4c38394ea2048ca81d48b1bd66de48d8bd4e8
d8cb0d5bbeb20e08df8d2e75d7f4e326961f1bf5
ec37d483c3c880fadc8d048c05777a91654e41d3
3ea2d190879c8933363b222c686009b81ba8af9eb6ae3696d2f420e187467f08
4188736108d2b73b57f63c0b327fb5119f82e94ff2d6cd51e9ad92093023ec93
443dc750c35afc136bfea6db9b5ccbdb6adb63d3585533c0cf55271eddf29f58
53b7d5769d87ce6946efcba00805ddce65714a0d8045aeee532db4542c958b9f
648c2067ef3d59eb94b54c43e798707b030e0383b3651bcc6840dae41808d3a9
982dda5eec52dd54ff6b0b04fd9ba8f4c566534b78f6a46dada624af0316044e
acadf15ec363fe3cc373091cbe879e64f935139363a8e8df18fd9e59317cc918
cce5e2ccb9836e780c6aa075ef8c0aeb8fec61f21bbef9e01bdee025d2892005
45.132.227.213
119.93.5.239
146.70.103.228
144.76.136.153
67.43.235.122
82.180.146.31
91.242.237.100
89.46.114.164
98.100.141.70
62.182.98.170
CISA on Scattered Spider – CISA
FBI Shares Techniques Used by Scattered Spider Hacker Group – Cybersecuritynews.com
SCATTERED SPIDER Attempts to Avoid Detection with Bring – CrowdStrike
Scattered Spider Hops Nimbly From Cloud to On-Prem in Complex Attack – Darkreading.com
FBI, CISA seek Scattered Spider victim testimony in bid to take down – ITPro.com
Unraveling Scattered Spider: A Stealthy and Persistent Threat Actor Targeting Telecom Networks – Avertium.com
Teenage hacker Arion Kurtaj: the face behind Lapsus$ cybercrimes – Thaiger World
Lapsus$ hacker behind GTA 6 leak gets indefinite hospital sentence – BleepingComputer.com
UK police arrest 7 people in connection with Lapsus$ hacks – TechCrunch
7 Suspected Members of LAPSUS$ Hacker Gang, Aged 16 to 21, Arrested in U.K. – TheHackerNews.com
Brazilian Police Arrest Suspected Member of Lapsus$ Hacking Group – TheHackerNews.com
Brazil arrests suspect believed to be a Lapsus$ gang member – BleepingComputer.com