Microsoft confirmed that the group had gained limited access to their systems, whilst Okta the authenticator provider confirmed approximately 2.5% of its customers would be affected. This attack is the latest in a string of compromises perpetrated by the LAPSUS$ Group; a group of victims that include Impresa, Brazil’s Ministry of Health, Claro, Embratel, NVIDIA, Samsung, Mercado Libre, Vodafone and Ubisoft. 

The most interesting aspects of the group are:

  1. LAPSUS$ issued a counter statement in this case to ask Okta why it had taken so long to disclose the breach publicly. The group also claimed that Okta was storing AWS keys within Slack and that the potential impact to customers was not limited; ongoing public statements and claims from a threat actor being a relatively new occurrence.
  2. The use of Telegram to publish stolen data.
  3. It’s pure extortion and destruction model without the deployment of ransomware payloads.
  4. The group often seems not to cover its tracks. 
  5. The adoption of tactics such as phone-based social engineering schemes such as SIM-swapping to facilitate account takeover, accessing personal email accounts of employees at target organisations, and bribing employees, suppliers or business partners for access.
  6. The group have also been known to intrude in ongoing crisis-response calls of their targets to initiate extortion demands.

Microsoft and Okta have observed that the breach was facilitated by a single account compromise at each company, which has since been remediated. The method of initial access and the particular tactics of this group further emphasise that human vigilance and employee education at organisations is imperative to best mitigate the occurrence of cyber incidents.