Lapsus$ and IT Security

Lapsus$ is a cyber extortion group of hackers. It has targeted some of the biggest IT companies in the past few weeks. Microsoft did confirm a data breach through one of the developers’ computers, and fingers were pointed at the Lapsus$ gang for this data breach. We look at the growing footprint of Lapsus$ and how it affects your IT infrastructure and its security.

Where is Lapsus$ located?

This is an interesting question. Most IT security analysts believe that Lapsus$ is a group of hackers that spans multiple countries and continents. Initially, it was speculated that Lapsus$ is based somewhere in South America. All indications pointed to a presence in Brazil. However, the arrest of British teens proved that the Lapsus$ gang is trans-national and trans-continental.

It does seem to use South American English. But, this could be a smart ploy to throw the investigators into confusion and misdirection. The fact that a British teen was an active member of the Lapsus$ gang makes for compelling evidence about the trans-national and trans-continental footprint of the group. For now, it is unclear if the Lapsus$ gang has any Russian antecedents.

But, the arrest of a British teen and 6 other hackers has not stopped the Lapsus$ attacks. Globant’s compromise happened after the arrest of Oxford-based British teen. It appears that the Lapsus$ gang is more diverse than people would have initially thought.

How does the Lapsus$ gang of hackers work?

Unlike ransomware gangs, the Lapsus$ gang has emerged as a cybersecurity threat that strives to engage in cyber extortion. Lapsus$ members seem to be driven by monetary gains. The gang targets the data of big companies. Lapsus$ started with attacks in Brazil and quickly moved over to targeting bigger companies like Samsung, Nvidia, Microsoft, and Okta. Here is how the Lapsus$ gang work to target your data:

  • Lapsus$ relies on a mix of different techniques to target its potential victims. It is known to actively use phishing as a means to attack the target. Once exploited, it looks at ways to elevate privileges and access data that is of critical significance to the attacked company. Email and Social Engineering have remained the potent means of Lapsus$ attack on unsuspecting organizations.

  • Lapsus$ is also known to actively target the employees of organizations with financial rewards to help them target the organizations. This is a serious threat because of the presence of weak hands within every organization. The lure of quick money seems to open quite a few openings for the Lapsus$ gang to exploit. From an organization’s perspective, this is a very significant challenge. And, it poses a significant challenge for the IT security teams to plan and mitigate the source of these threats.

Once Lapsus$ gets an entry into the network, it tends to go after the organization’s data. Upon accessing the secure and private data, Lapsus$ steals it. However, it is not deploying any ransomware payloads to encrypt the data of its victim organizations. It works with the victim organizations to try and make quick money. Interestingly, Lapsus$ does not encrypt data. It focuses on data theft and demands a ransom. If the demands remain unfulfilled, Lapsus$ releases the data of the organization on the web. It has already released data from Samsung, Okta, Globant, Microsoft, and Nvidia.

Another interesting aspect of Lapsus$ attacks is that it tends to steal the source code of organizations. Subsequent to the data theft of the source code, it publishes this sensitive and private data on the web.

Who are Lapsus$’s victim companies?

Lapsus$ has exponentially grown in the past three months. We list all the victim organizations that have been exploited by Lapsus in the past six months.

1. Lapsus$ attacked the Ministry of Health of Brazil in December 2021. It was able to target the DNS records of the Ministry.

2. It followed up with attacks on South American organizations that included telecom providers Claro and Embratel. Next in line were the Brazilian state-owned postal service “Correios,” and Portuguese media giant Impresa.

3. The focus, thereafter, shifted to the United States and South Korea. On March 7, 2022, Samsung confirmed a data breach and leak of Galaxy source code by Lapsus$. It remains unclear if Samsung paid ransom to protect its source code. Over 190 GB of proprietary data and information was leaked from Samsung.

4. Nvidia was compromised by Lapsus$ in a significant way. Over 1 TB of Nvidia data was stolen. Lapsus$ leaked 20 GB of data on the web. The threat actor was able to access the login and passwords of 71,000 employees of Nvidia. The gang leaked the Nvidia user login and password over the web. It did threaten to leak the full set of 1 TB Nvidia data. Some analysts are of the opinion that the Nvidia data breach caused Nvidia to uncover the footprint of Lapsus$ attackers. This eventually led to the crackdown on 7 hackers, including the Oxford-based British teen.

– On March 22, 2022, Microsoft confirmed a data breach that targeted the source code of Cortana through one of the internal DevOps servers on Microsoft Azure. In the case of Microsoft’s data breach, a single laptop was compromised to make an entry onto the targeted DevOps stack. Microsoft confirmed the breach. But, it was quick to pronounce that the Lapsus$ or DEV-0537 threat actor was able to make a limited impact on the corporate network of Microsoft.

5. Okta confirmed a data breach at the hands of Lapsus$. Okta has over 15,000 customers which use the company for Identity Access Management services. As part of the data breach disclosure, Okta confirmed that around 2.5 percent of its customer base was affected. This brings us to over 375 customers who would have been compromised as part of the Lapsus$ attack on Okta. The attack on Okta was initiated from the site of one of its customers, Sitel. One of the Sitel login accounts was compromised to make an entry into Okta’s corporate network. Okta has claimed that the attack was limited to the service tickets and service desk details of the customer accounts.

6. Globant is the latest target that has been compromised by Lapsus$. Globant’s breach was reported after the arrest of 7 hacked as part of a crackdown on the Lapsus$ threat gang. Globant’s data breach was shared by Lapsus$ on its telegram channel. It published over 70 GB of Globant’s sensitive data. The data breach included admin login and passwords of the Globant. Given the fact that Globant is a leading IT company, the data breach and security vulnerabilities on the organization’s network surprised many. Globant did confirm the data breach. However, it claimed that the data breach was limited to a limited set of code repositories of a few developers. In more ways than one, Globant indicated that the breach was limited in its extent and scope.


Lapsus$ is one of the latest threat actors that has breached leading IT companies. The gang of Lapsus$ hackers seems to be trans-national and trans-continental. It steals source code and demands a ransom. Unfulfilled ransom demands cause the Lapsus$ gang to dump sensitive corporate data on the web.

You may also like to read the following content related to IT security: