ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > Lapsus$

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Lapsus$

NamesLapsus$ (self given)
DEV-0537 (Microsoft)
CountryBrazil Brazil
MotivationFinancial gain
First seen2021
Description(Flashpoint) LAPSUS$ is an extortionist threat group that became active on December 10, 2921. Unlike the majority of extortionist groups that typically rely on a combination of ransomware and data leaks, LAPSUS$ is focused on monetizing their operations exclusively through data leaks advertised on Telegram without the use of ransomware.

Initially, the group focused on data breaches against Latin American and Portuguese targets but in late February 2022, LAPSUS$ began widening the scope of its targeting by announcing it had successfully breached US-based graphics and computing chip manufacturer Nvidia. Since then, LAPSUS$ has continued to focus on large-scale international technology companies, including Microsoft, Okta, and Samsung, as the financial incentive for stealing source code and extorting companies for sensitive proprietary technical data is high.
ObservedCountries: Argentina, Brazil, Portugal, USA.
Tools used
Operations performedDec 2021Brazil health ministry website hit by hackers, vaccination data targeted
<https://www.reuters.com/technology/brazils-health-ministry-website-hit-by-hacker-attack-systems-down-2021-12-10/>
Dec 2021The Lapsus$ ransomware gang has hacked and is currently extorting Impresa, the largest media conglomerate in Portugal and the owner of SIC and Expresso, the country’s largest TV channel and weekly newspaper, respectively.
<https://therecord.media/lapsus-ransomware-gang-hits-sic-portugals-largest-tv-channel/>
Jan 2022Lapsus$ Attacks Localiza, Redirects Users to Porn Site
<https://www.databreachtoday.com/lapsus-attacks-localiza-redirects-users-to-porn-site-a-18286>
Jan 2022Okta confirms 2.5% customers impacted by hack in January
<https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-customers-impacted-by-hack-in-january/>
<https://thehackernews.com/2022/03/new-report-on-okta-hack-reveals-entire.html>
Feb 2022In the wake of the attack last month on the Impresa group, the latest victims – Correio da Manhã (the country’s most widely-read tabloid), Sábado, Jornal de Negócios and CMTV – belong to the Cofina media group.
<https://www.portugalresident.com/hackers-bring-down-new-media-sites-pj-cybercrime-unit-investigating/>
Feb 2022Cyberattack brings down Vodafone Portugal mobile, voice, and TV services
<https://therecord.media/cyberattack-brings-down-vodafone-portugal-mobile-voice-and-tv-services/>
<https://www.securityweek.com/vodafone-investigating-source-code-theft-claims>
Feb 2022GPU giant NVIDIA is investigating a potential cyberattack
<https://www.bleepingcomputer.com/news/security/gpu-giant-nvidia-is-investigating-a-potential-cyberattack/>
<https://www.databreaches.net/lapsus-and-the-terrible-horrible-no-good-very-bad-ransom-day1/>
Mar 2022Hackers leak 190GB of alleged Samsung data, source code
<https://www.bleepingcomputer.com/news/security/hackers-leak-190gb-of-alleged-samsung-data-source-code/>
Mar 2022E-commerce giant Mercado Libre confirms source code data breach
<https://www.bleepingcomputer.com/news/security/e-commerce-giant-mercado-libre-confirms-source-code-data-breach/>
Mar 2022Lapsus$ Ransomware Group is hiring, it announced recruitment of insiders
<https://securityaffairs.co/wordpress/128912/cyber-crime/lapsus-ransomware-is-hiring.html>
Mar 2022Ubisoft confirms 'cyber security incident', resets staff passwords
<https://www.bleepingcomputer.com/news/security/ubisoft-confirms-cyber-security-incident-resets-staff-passwords/>
Mar 2022Lapsus$ hackers leak 37GB of Microsoft's alleged source code
<https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/>
Mar 2022Globant confirms hack after Lapsus$ leaks 70GB of stolen data
<https://www.bleepingcomputer.com/news/security/globant-confirms-hack-after-lapsus-leaks-70gb-of-stolen-data/>
Mar 2022Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code
<https://krebsonsecurity.com/2022/04/leaked-chats-show-lapsus-stole-t-mobile-source-code/>
Counter operationsMar 2022Lapsus$ suspects arrested for Microsoft, Nvidia, Okta hacks
<https://www.bleepingcomputer.com/news/security/lapsus-suspects-arrested-for-microsoft-nvidia-okta-hacks/>
Apr 2022Two teenagers charged in connection with investigation into hacking group
<https://www.cityoflondon.police.uk/news/city-of-london/news/2022/march/two-teenagers-charged-in-connection-with-investigation-into-hacking-group/>
Aug 2022Brazilian police launch investigation targeting Lapsus$ group
<https://therecord.media/brazilian-police-launch-investigation-targeting-lapsus-group/>
Information<https://www.flashpoint-intel.com/blog/lapsus/>
<https://www.silentpush.com/blog/lapsus-group-an-emerging-dark-net-threat-actor>
<https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/>
<https://unit42.paloaltonetworks.com/lapsus-group/>
<https://www.cybereason.com/blog/lapsus-activity-betrays-nation-state-motivation>
<https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/>
<https://thehackernews.com/2022/05/everything-we-learned-from-lapsus.html>
<https://www.tenable.com/blog/brazen-unsophisticated-and-illogical-understanding-the-lapsus-extortion-group>

Last change to this card: 12 September 2022

Download this actor card in PDF or JSON format

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]