Irony As 7 LAPSUS$ Hacker Suspects Are Arrested In The UK Due To Poor Operational Security

Two days ago, we reported that the London police arrested seven individuals between the ages of 16 and 21 years old in connection with an investigation into notorious hacking group LAPSUS$. While it is unclear if the police nabbed the group's ringleader in the arrests, it is clear that the operational security (or OPSEC) of LAPSUS$ was ironically poor and likely aided in the arrests.

From AT&T to Vodafone and a few major players in between, like Microsoft and NVIDIA, LAPSUS$ has been targeting and successfully attacking large publicly traded companies. Their methods are somewhat unorthodox but seemingly effective, allowing for the exfiltration and ransom of intellectual property and other data from the aforementioned companies. However, despite the effectiveness, these methods are also what may have cost the group its fortune and freedom; and rightfully so, we might add.

The LAPSUS$ ransomware group appear to be incredibly inexperienced with OPSEC. They posted their message boasting about access to Microsoft's internal DevOps environment *while still exfiltrating source code*. We can tell by looking at the timestamp of the files in their leak. 🤦‍♂️ https://t.co/NaU38cypUw pic.twitter.com/AryXJS12A1

— Bill Demirkapi @ ShmooCon (@BillDemirkapi) March 22, 2022

Earlier this week, Microsoft reported that LAPSUS$, tracked as DEV-0537, "doesn't seem to cover its tracks," and is "known for using a pure extortion and destruction model without deploying ransomware payloads." With this, the group has been proven to post its attacks on social media or publicly advertise its intent to gain insider access to companies it wishes to attack. An example of this brazen publicity can be seen above, with a screenshot showing that the group was publicizing an attack on Microsoft while still evidently exfiltrating data. Moreover, the group's tactics include "phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets."

I was wondering why LAPSUS would burn such awesome access before getting themselves into all the customer networks.

And then @Laughing_Mantis noticed the date in one of the screen shots…

🌚🔥 pic.twitter.com/gJS7WQf59X

— _MG_ (@_MG_) March 22, 2022

These bold tactics, techniques, and procedures (TTPs) are, however, quite loud when it comes to the defensive blue-team side of things. Subsequently, this has potentially caught up with LAPSUS$ in the form of arrests, though the group's chat on Telegram is still operational, and it appears there is more than meets the eye in terms of OPSEC. For example, the group only posted about its access to Okta recently, but the dates shown in screenshots above indicate that the group had access since January. Thus, there is much more to learn about LAPSUS$ before any real conclusions can be drawn.

In any event, LAPSUS$ was playing a dangerous game in cybersecurity and not only that, the group was also playing it fast and loose. This will bite them in the end if it hasn't already, but at the end of the day, LAPSUS$ speedrunning and getting arrested is great for the good guys as it makes their jobs easier. Either way, let us know what you make of this new breed of extortion group in the comments below.

(Top image, credit: National Archives Catalog)