Cyber Threat Actor: Lapsus$
| Actor Type | Location | Known Incidents |
Sensationalist
|
—
|
22 incidents |
|---|
Profile
The Lapsus$ Group, also known as Lapsus$ and Grupo Lapsus, is a cybercriminal collective linked to high-profile data breaches targeting multiple sectors globally. Publicly reported incidents attribute operations to this actor across telecommunications (T-Mobile), technology (Microsoft, NVIDIA, Samsung, Okta), gaming (Rockstar Games, Ubisoft), e-commerce (Mercado Libre, JD Sports, Americanas), media (Impresa, Radio Televisión Canaria), and government entities (Brazil's Ministry of Health, DEA). Strategic objectives include data extortion through leaks of proprietary source code, operational disruption via system compromises, and financial gain through ransom demands, as evidenced by attempts to sell stolen assets like GTA 6 source code or pressure NVIDIA to remove cryptocurrency mining restrictions. The group has also demonstrated intent to amplify notoriety through high-visibility breaches, defacements, and public Telegram engagement.
Notable tactics involve credential theft using malware like Redline, purchasing credentials on underground forums, bribing employees for access, and scanning public repositories for exposed secrets. Initial access frequently exploits compromised third-party vendors or contractors, as seen in Uber's breach via an EXT contractor's credentials. The group bypasses multi-factor authentication through MFA fatigue attacks, session replay, and SIM swapping. Once inside networks, they escalate privileges using tools like AD Explorer, target development platforms (Azure DevOps, GitHub, Confluence, Jira), and exfiltrate data via NordVPN. Leaked materials often include source code, customer data, internal communications, and law enforcement databases. Law enforcement investigations indicate arrests of suspected teenage members in the U.K., with FBI involvement in U.S.-related breaches, though no state sponsorship claims exist. Representative operations include the Rockstar Games intrusion leaking GTA 6 assets, T-Mobile's source code theft, Microsoft's Bing and Cortana code exfiltration, and the paralysis of Brazil's COVID-19 vaccination systems. The group's repeated focus on software supply chains—such as breaches at IT consultancy Globant and Uber's supplier Teqtivity—highlights consistent exploitation of third-party vulnerabilities to compromise downstream targets.
