How fame-seeking teenagers hacked some of the world’s biggest targets

A ragtag bunch of amateur hackers, many of them teenagers with little technical training, have been so adept at breaching large targets, including Microsoft, Okta, Nvidia, and Globant, that the federal government is studying their methods to get a better grounding in cybersecurity.

The group, known as Lapsus$, is a loosely organized group that employs hacking techniques that, while decidedly unsophisticated, have proved highly effective. What the group lacks in software exploitation, it makes up for with persistence and creativity. One example is their technique for bypassing MFA (multi-factor authentication) at well-defended organizations.

Studying the Lapsus$ hacking playbook

Rather than compromising infrastructure used to make various MFA services work, as more advanced groups do, a Lapsus$ leader last year described his approach to defeating MFA this way: “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

On Thursday, the Homeland Security Department’s Cyber Safety Review Board released a report that documented many of the most effective tactics in the Lapsus$ playbook and urged organizations to develop countermeasures to prevent them from succeeding.

Like a few other more technically advanced threat groups, Lapsus$ “showed adeptness in identifying weak points in the system—like downstream vendors or telecommunications providers—that allowed onward access to their intended victims,” the officials wrote in the 52-page report. “They also showed a special talent for social engineering, luring a target’s employees to essentially open the gates to the corporate network.”

The list of targets breached by Lapsus$ or whose proprietary data was stolen by Lapsus$ through hacks on third parties is surprisingly extensive for a group that operated for a little over a year and whose primary motivation seemed to be fame. Highlights of the group’s feats and unconventional practices are:

• A phishing campaign that used MFA bombing and other unsophisticated techniques successfully breached San Francisco-based MFA provider Twilio and came close to breaching content delivery network Cloudflare were it not for the latter’s use of MFA that’s compliant with the FIDO2 industry standard.
• The breach of Nvidia’s corporate network and purported theft of 1 terabyte of company data. In return for Lapsus$ not leaking the entire haul, the group demanded Nvidia allow its graphics cards to mine cryptocurrencies faster and to make its GPU drivers open source.
• The posting of proprietary data from Microsoft and single-sign-on provider Okta, which Lapsus$ said it obtained after hacking into the two companies’ systems.
• The network breach of IT services provider Globant and the posting of as much as 70 gigabytes of data belonging to the company.
• The reportedly multiple breaches in March 2022 of T-Mobile. The hacks reportedly used a technique known as SIM swapping—in which threat actors trick or pay phone carrier personnel to transfer a target’s phone number to a new SIM card. When the group got locked out of one account, it performed a new SIM swap on a different T-Mobile employee.
• Hacking into Brazil’s Ministry of Health and deleting more than 50 terabytes of data stored on the ministry’s servers.
• The mostly successful targeting of many additional organizations, including, according to security firm Flashpoint, Vodafone Portugal, Impresa, Confina, Samsung, and Localiza.

Other low-skill tactics that proved particularly effective were the group’s purchase of authentication cookies and other credentials from initial access brokers.

The authors of Thursday’s report wrote:

Lapsus$ drew the attention of cybersecurity professionals and the press almost immediately after providing unparalleled transparency into the inner workings of how it targeted organizations and individuals, organized its attacks, and interacted within itself and with other threat groups. Its mindset was on full display for the world to see and Lapsus$ made clear just how easy it was for its members (juveniles, in some instances) to infiltrate well-defended organizations. Lapsus$ seemed to work at various times for notoriety, financial gain, or amusement, and blended a variety of techniques, some more complex than others, with flashes of creativity. But Lapsus$ did not fall into that category of threat actor that grabs most of the headlines: the nation-state threat actor with well-resourced offensive tactics that lurks behind the scenes for years at a time or the transnational ransomware groups that cost the global economy billions of dollars. In fact, Lapsus$ did not use the type of novel zero-day techniques the industry is used to seeing frequently in the news.

The report contains a variety of recommendations. Key among them is moving to passwordless authentication systems, which presumably refer to passkeys, based on FIDO2. Like all FIDO2 offerings, passkeys are immune to all known credential phishing attacks because the standard requires the device that provides MFA to be no further than a few feet away from the device logging in.