In December 2021, a new threat actor began breaching a number of corporate and government entities, mainly situated in Portugal and Brazil. While attracting some attention, those responsible kept a fairly low profile. Since the new year, however, the same threat actor has been making waves in the data extortion scene, becoming increasingly ambitious and outspoken with each attack.

The group in question is LAPSUS$, and is intriguing for a number of reasons, namely its volume of activity, pivot to big game hunting, and eschewing of a dark web PR site - as is popular with many ransomware and breach actors - in favour of communicating via Telegram. Searchlight explored LAPSUS$' origins, tactics, and controversies in order to better understand the group’s position in the current threat landscape.

Origins

It was initially reported that LAPSUS$ began operations in December 2021 following an attack on Brazil’s health ministry, which downed several systems - including one overseeing the country’s COVID-19 vaccination program - and left its website defaced with the group’s name and an offer to return the stolen data for a price. In the new year, LAPSUS$ made headlines again after downing several websites owned by Portuguese media conglomerate Impresa.

However, historical forum records show LAPSUS$ was active for almost half a year prior to this. In June 2021, games developer EA suffered a hack resulting in theft of several products' source code. The data stolen in this attack was subsequently offered on popular hacking and leaks hub RaidForums, under the username “4c3”. 4c3 claimed their username was a pseudonym, and the actor to be credited for the breach - LAPSUS$ - would be leaking more data soon.

The LAPSUS$ Telegram group and channel were created in December 2021, seemingly as a means to amplify the Brazilian health ministry hack. In these chats, an account representing LAPSUS$ confirmed that the group was responsible for the EA breach after multiple enquiries from chat participants. Speculation abounds regarding the group’s location, with most describing it as likely South American in origin, given its choice of early targets. This is further corroborated by the frequent use of Portuguese and Spanish in the LAPSUS$ Telegram group, though recently most of the actor’s communications have been solely in English. 

Tactics and Motives

Despite initial reports following the group’s attacks against Brazil’s health ministry, Portuguese media conglomerate Impresa and South American telecommunications firm Claro, it appears LAPSUS$ does not deploy ransomware - a type of malware that encrypts the victim’s files and is only reversed once a payment is made to the attackers - during its operations. This has been confirmed in one instance by LAPSUS$ itself on Telegram, stating “we said it was a ransom, not a ransomWARE” in response to a chat member’s question about their tactics. 

Instead, LAPSUS$ is currently best classified as a data extortion actor - one which breaches corporate networks, exfiltrates sensitive data and demands a ransom in return for not leaking the information online. There have also been occasions where LAPSUS$ has claimed to engage in data wiping against its targets, raising the stakes for the data’s return and thus the likelihood of ransoms being paid. That said, it is currently unclear whether any of LAPSUS$' victims have paid up. The group is still threatening to leak datasets from companies it claims to have hacked weeks ago, most recently teasing the imminent release of data from the Vodafone Portugal breach back in February, further implying negotiations have been unsuccessful.

Some commentators have theorized the motivations of LAPSUS$ aren’t solely financial, due to the potential political implications of its choice of victims and its attempts to pressure Nvidia into open-sourcing its GPU drivers. While it’s possible that politics may influence the group’s victim selection, its demands for ransoms indicate a primary motive of generating profit, rather than making a political statement or disrupting operations through hacktivism. However, recent comments by LAPSUS$ claim that it's no longer interested in pursuing payments from its victims, a pivot that may have been spurred by a lack of success thus far or its original monetary aims being superseded by a growing desire for coveted online "cred".

The issue of how LAPSUS$ gains access to its victims' networks is another point of contention. The group’s moniker means “lapse”, “mistake”, or “error” in Latin, evoking a potential strategy of scanning corporate networks for security gaps or misconfigurations to exploit. However, another potential entry point is the use of leaked employee credentials, often for corporate VPN accounts. Analysis of forum posts and Telegram messages suggests the group purchases stolen logins and browser fingerprints from cybercrime markets such as Genesis.

LAPSUS$ has also proven itself adept at leveraging employees working at target organizations, with the EA hack depending on socially engineering members of the company’s Slack channel into disclosing more credentials, and a recent recruitment call seeking malicious insiders at large telecommunication, software and call centre firms being shared on Telegram.

This approach of crowdfunding access - in a public Telegram chat in full view of law enforcement and security researchers - is in stark contrast to the operations of most other threat actors, even gangs running RaaS (Ransomware as a Service) schemes. Though these actors maintain a public presence, it is typically in the form of a dark web PR site used to announce, auction and share stolen data. RaaS schemes may also use similar strategies to procure access, but it's typically done in a less conspicuous manner, with much of the process being conducted via private channels. 

In terms of victimology, LAPSUS$ has seen a swift re-orientation from regional organizations in a range of industries towards significantly larger technology targets. Excluding the EA hack, the group’s switch to big game hunting was marked with its attack against industry-leading chip maker Nvidia in February, resulting in the alleged theft of 1TB of data including employee credentials and intellectual property.

Just weeks later, reports emerged that Samsung had also been hit, with LAPSUS$ claiming to have stolen 190GB of source code and other confidential information. On March 12, shy of outright confirming responsibility, LAPSUS$ reposted a news story detailing a “cyber security incident” at games developer Ubisoft accompanied by a smirking emoji. The three companies each reported annual revenues between 2 billion and 200 billion USD last year. 

Controversies

Another distinguishing feature of LAPSUS$ is its readiness to make enemies with other threat actors. Although internecine conflict in the cybercriminal underground is nothing new - groups regularly turn their hacking skills on their competitors - LAPSUS$ has become embroiled in several disagreements that seem particularly personal and elicit the image of a new, impulsive group that cares little for the prevailing norms of the wider cybercrime community.

LAPSUS$ first displayed its appetite for disputes following the EA hack. An actor by the name of Leakbook, who had been active on RaidForums since 2018, dumped EA data in a post titled “FIFA 21 SOURCECODE + TOOLS” in June 2021. Analysis of forum posts between the two suggests the actors were at one point working together, with Leakbook acting as a seller of the FIFA source code on behalf of LAPSUS$' alter ego 4c3.

This relationship quickly soured after 4c3 posted “EA News” the following month, announcing that they had breached EA and were in the process of trying to extract a ransom payment from the company. In a follow-up post titled “The Biggest EA Data Leak”, Leakbook ridiculed 4c3 for failing to successfully extort EA, instead releasing the data for free. Leakbook made several other posts deriding 4c3/LAPSUS$’ handling of the situation, including leaking the ransom email allegedly sent to EA. LAPSUS$ members were dubbed by Leakbook and other RaidForums users as “skids” (short for “script kiddies”) , a derogatory term for would-be hackers who lack actual programming expertise, instead relying on pre-existing scripts.

This experience may have caused LAPSUS$ to briefly stay under the radar, but it did not deter the group from further confrontation when it re-emerged months later. In January 2022, a post was made on Doxbin - a site used to release personal information about an individual - claiming that an affiliate of LAPSUS$ was a 16-year-old boy living in the UK. The dox was posted by one of the site’s staff members, and accused the teenager - alias Wh1te - of buying and briefly owning the site before selling it back to the original owners and leaking its database. While the post contains numerous questionable claims, the timing of its release does correlate with the Doxbin database being shared by a LAPSUS$ representative just three days prior.

Even in its own Telegram channels, LAPSUS$ seems uninterested in preventing bad blood. Following the announcement of the Nvidia hack in February, the group released a torrent for part of the breached data including employee credentials and code-signing certificates. Since then, members of the LAPSUS$ chats have persistently inquired when the second half of the breach will be released, believed to contain the information necessary to bypass the Lite Hash Rate (LHR) technology intended to discourage the purchase of GPUs for cryptocurrency mining.

LAPSUS$ repeatedly assured its followers that data would be forthcoming and urged patience; however, with the recent addition of “4. Stop asking about NVIDIA” to its Telegram Group Rules and alleged bans against users who do not comply, it seems unlikely Nvidia Part Two will be released anytime soon. This Sunday, LAPSUS$ missed another self-imposed deadline to release their alleged cache of Vodafone data, prompting some followers to complain the group is bluffing about the amount of valuable data it actually possesses.

Conclusion

LAPSUS$ is a new threat actor which quickly gained attention throughout late 2021 and 2022 for its increasingly ambitious hacking and data extortion attacks against large organizations. Its relative youth as a group is displayed by its chaotic organizing on Telegram, its methods of publicly crowdfunding access to corporate networks, and its reckless attitude towards protecting its reputation within cybercrime circles. While this intra-community animosity may not be enough to stop the group from operating, growing discontent from its fanbase may cause LAPSUS$ to lose relevance if it continues breaking commitments to leak data on schedule.

Furthermore, the pattern of launching more daring and brazen attacks against successively larger companies will likely catch the attention of law enforcement in the future. The group may be aware of this, as several of its members are stated to have gone "on vacation" following its recent targeting of privileged internal accounts at tech giants Microsoft and Okta. If they return, it will be interesting to see if LAPSUS$ tightens its operations, or remains a disorderly yet substantial threat to organizations worldwide.