Lapsus

Threat Actor updated 10 months ago (2024-11-29T14:22:15.707Z)

Download STIX

Preview STIX

Lapsus is a significant threat actor that has been active since its inception in early 2022. The group gained notoriety for its cyberattacks, including a high-profile breach of Nvidia, an American multinational technology company, in the same year. This attack led to the leak of thousands of passwords and highlighted the group's capabilities. Lapsus also exploited vulnerabilities such as the Log4j Vulnerability, creating ongoing challenges for cybersecurity. The Cyber Safety Review Board (CSRB) under the Department of Homeland Security (DHS) has produced detailed reports on the activities of this group, emphasizing its threat level. The group's tactics are notable for their effectiveness. One instance involved causing multi-factor authentication (MFA) fatigue to an employee by sending numerous MFA authentication notifications, leading to a security compromise. In another case during the summer of 2022, Lapsus managed to infiltrate a trillion-dollar company using just one compromised credential, gaining access to source code. Furthermore, the group used certificates from previous leaks, such as the Nvidia breach, to sign kernel drivers, demonstrating a sophisticated understanding of system exploitation. Despite these activities, Lapsus's operations faced a significant setback when the courts intervened. Identified as a substantial cybersecurity threat, the person known as Lapsus was confined to a secure hospital indefinitely due to concerns about a swift return to cybercrime operations. However, it's worth noting that Lapsus is part of a broader network of threat actors, including APT 35, Corecode, Anonymous, Hive, Pakistani APTs, Russian APTs, Solitbit.ares, and Prynt Stealer, among others. These alliances indicate a global cooperative effort among threat actors, adding another layer of complexity to the cybersecurity landscape.

Description last updated: 2024-05-04T16:33:53.058Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Scattered Spider is a possible alias for Lapsus. Scattered Spider, also known as Octo Tempest, 0ktapus, and UNC3944, is a notorious threat actor group involved in major data extortion campaigns. This cybercriminal group has been associated with high-profile attacks on organizations like Caesars Entertainment and MGM, often in collaboration with th	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Okta

Ransomware

Microsoft

Extortion

Credentials

Police

Cybercrime

Fraud

Samsung

Mitre

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Hunters Malware is associated with Lapsus. Malware hunters, often referred to as bug hunters, play a critical role in cybersecurity by identifying and addressing vulnerabilities in software systems. In 2023, these professionals proved their worth at the Pwn2Own Toronto event where they identified 58 unique zero-day vulnerabilities, earning a	Unspecified	5
The Lockbit Malware is associated with Lapsus. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or	Unspecified	3

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The FIN7 Threat Actor is associated with Lapsus. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	2
The APT28 Threat Actor is associated with Lapsus. APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM, is a threat actor linked to Russia. The group has been associated with cyber espionage campaigns across Central Asia and has historically targeted areas of national security, military operations, and geopolitical influ	Unspecified	2
The Oktapus Threat Actor is associated with Lapsus. Oktapus, a threat actor also known as Scattered Spider, Scatter Swine, and Muddled Libra, has been identified as a significant cybersecurity risk due to its sophisticated phishing campaigns. The group first gained notoriety in 2022 when it launched the Oktapus phishing campaign, targeting employees	Unspecified	2
The UNC3944 Threat Actor is associated with Lapsus. UNC3944, also known as Scattered Spider or 0ktapus, is a notable threat actor in the cybersecurity landscape. This group primarily targets telecommunication firms and tech companies, but has expanded its operations to hospitality, retail, media, and financial services sectors. The group's modus oper	Unspecified	2
The Shinyhunters Threat Actor is associated with Lapsus. ShinyHunters, a notorious threat actor group, has been involved in several significant data breaches, posing a serious cybersecurity concern for businesses worldwide. The group is known for its malicious activities targeting corporate entities, with the intent of stealing proprietary information. Be	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The Log4Shell Vulnerability is associated with Lapsus. Log4Shell is a significant software vulnerability (CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105) that exists in the Log4j Java-based logging utility. It was exploited by various Advanced Persistent Threat (APT) actors, including LockBit affiliates and GOLD MELODY (UNC961), to gain unauthorized	Unspecified	2

Source Document References

Information about the Lapsus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	2 years ago	The DHS Cyber Safety Review Board's Inaugural Reports
CERT-EU	2 years ago	GTA 6 Hacker: Life in Secure Hospital for Cybercrime Intent
CERT-EU	2 years ago	FBI LEEP Data Sale Sparks Concerns Over National Security
CISA	3 years ago	#StopRansomware: Cuba Ransomware \| CISA
CERT-EU	2 years ago	Businesses and passwords are a security marriage needing help
CrowdStrike	2 years ago	Cloud Security Incident Response Guidance \| CrowdStrike
CERT-EU	2 years ago	Transatlantic Cable podcast, episode 314
CISA	3 years ago	#StopRansomware: Cuba Ransomware \| CISA
Recorded Future	2 years ago	Xiaoqiying/Genesis Day Threat Actor Group Targets South Korea, Taiwan \| Recorded Future
CERT-EU	2 years ago	Law enforcement crackdowns and new techniques are forcing cybercriminals to pivot