Here’s an event we didn’t have on our 2022 cybersecurity incident bingo card – a gang of teenagers (known as LAPSUS$) crowdsourcing which major tech companies to threaten. But this unexpected development has shown us an interesting evolution in the type of tactics criminals use to decide which victim to target, as well as the information-gathering process prior to attacks.
LAPSUS$ is a data extortion gang that apparently started in South America and includes members in other countries, including the UK. They’ve compromised several public and private entities in Brazil and other Latin American countries and have recently gained greater notoriety by compromising several high-profile companies in the technology sector.
How LAPSUS$ Grabbed Data
LAPSUS$ has adopted two methods that are unusual among pre-established cybercriminal groups. The first is that they stay in constant communication with their audience via instant messaging (IM) groups, which currently reach more than 45,000 members. This extortion group conducts frequent polls to get a sense of their followers’ interest in their next victim(s). And they use IM to find out whether they have buyers who are interested in the information they have already been able to exfiltrate from their past victims.
Part of the motivation behind this frequent communication appears to be that after rushing in to grab information, they were sometimes unable to find anyone willing to pay for it. Keeping in touch with their audience increases the likelihood of a payday.
A second tactic LAPSUS$ uses is offering incentives, including bribing employees of the companies they intend to attack. These incentives are exchanged for credentials and internal network access levels that facilitate their operations.
But they don't just stop there; the group also gathers information about companies’ internal processes, technologies that are used, as well as tips for where to find the juiciest information within the network. They even appeared to convince some executive assistants to provide confidential information about executives’ agendas and ongoing projects, a tactic that can dramatically increase the effectiveness of their spear-phishing.
While these sorts of techniques are not new, the way in which LAPSUS$ publicly promotes these “job openings” demonstrates how they are effectively weaponizing the community they’ve gathered using their instant messaging channels. They’ve created a network of “internal agents” who are leaking information, helping the group make the most of limited dwell time in targeted networks.
While this may sound like a horror-show scenario, there is a downside to gathering all these agents within a company. Unless the employees that are feeding the group information are doing so because of genuine malice, this tactic can actually decrease the time before the intruders are caught, as people might be inclined to report even incidents they’ve been involved with.
LAPSUS$ and Insider Threats
Insider threats pose a significant risk to businesses of all sizes, not just tech giants. They can be more difficult to combat, from both a technical and user perspective, than threats from external attackers.
Malicious insider threats can sometimes go undetected for an extended period of time, if someone is covering their tracks well. This could allow attackers prolonged access to confidential company information, potentially disrupting operations within the organizations for years. As we’ve seen with the LAPSUS$ attacks, even a brief attack can have a significant impact on a company’s reputation, as well as causing many sleepless nights for incident responders.
According to the 2021 Verizon Data Breach Investigations Report, insider threats cause 28% of breaches, and the pursuit of financial gain drives 76% of insider attacks. While intentional insider threats are less common than the risk of insiders inadvertently falling victim to social engineering, such attacks do happen, and can be devastating.
Combatting Insider Threats
So how does a company detect and respond to a potential insider threat? Sometimes an organization might suspect that an insider poses a legitimate concern but they’re not yet able to prove it. Other times, the person conducting the attack may slip up and unwittingly alert the company to their actions. Unfortunately, the latter is the most common, which also means the breach has already happened.
When organizations detect insider threats, the consequences for the employee involved generally depend on the severity of the situation. Some employees are simply fired, while others can face prolonged legal proceedings. Either way, there is a lot of personal risk for an individual who participates in insider attacks.
The fact that groups of cybercriminals such as LAPSUS$ are publicly offering rewards to entice employees to act unethically is concerning. The brazenness shown by this group invites us to rethink the way we tackle the problem of insider threats. We can’t simply assume that the possibility of being fired or sued will be enough to deter insiders from helping attackers.
We must make sure we incorporate a comprehensive strategy that covers people, processes, and cutting-edge technologies that allow us to react quickly and proactively when suspicious or malicious behavior is detected.
Can Technology Help?
As these attacks by LAPSUS$ have shortened the window of time necessary for attackers to gain saleable data, we need to find new ways to identify and shut down insider attacks more quickly. Machine learning (ML) that has been trained on normal system activities can be a helpful way to detect when an employee is doing something outside their usual routine, or potentially going rogue.
For example, we could see if a graphic artist who normally just accesses graphic design resources attempts to access the company client database. This could be a sign that they are scouting for saleable information, or they could simply be curious about a certain client for their own personal reasons.
If they then escalate the situation by attempting to download the database or individual client records to their own machine, this would be detected as a potential attack in progress. This could prevent the employee from being able to upload sensitive data to an external site, before the damage is done.
Humans are by their very nature unpredictable and chaotic creatures, but as with malware, certain behaviors “score” more highly as being a sign that the user is planning to do something that may harm the company – whether on purpose or inadvertently.
To guard against insider threats, a good first-line defense is to install intelligent software that learns each individual user’s typical patterns of behavior over time. This can provide an organization with an early warning that something is amiss, allowing them to dynamically adapt their security policy based on the user’s location, device type, and other factors.