Cybersecurity News

HC3 Warns of Lapsus$ Cyber Threat Group

Lapsus$ is a new cyber threat group that focuses on bribery and non-ransomware extortion and may pose a threat to the healthcare sector.

HC3 Warns of Lapsus$ Cyber Threat Group

Source: Getty Images

By Jill McKeon

- The Health Sector Cybersecurity Coordination Center (HC3) issued a threat brief outlining the tactics and targets of Lapsus$, the cyber threat group responsible for a cyberattack against identity management service provider Okta.

Lapsus$ is unique in that it does not rely on ransomware to exploit its victims, HC3 explained. Its motivations are likely financial gain and destruction, researchers first identified the group in April 2020. Researchers have observed Lapsus$ targeting multiple high-profile organizations using bribery and non-ransomware extortion.

HC3 said the group may be made up of teenagers and young adults, and they do not use overly sophisticated tools. However, they have successfully exploited a variety of organizations, including Samsung, Microsoft, Okta, Ubisoft, and the Brazilian Ministry of Health.

HC3 specifically focused on the Okta attack due to its implications for the healthcare sector. Okta is an identity management service provider with over 15,000 customers. In January 2022, Lapsus$ posted screenshots of Okta’s internal resources and potentially acquired a list of domain passwords from one of its customers.

HC3 noted that managed service provider attacks are often used as part of cyberattacks against the healthcare sector. HC3 also found evidence that healthcare organizations had been compromised due to the Okta attack.

Using distributed attack vectors, Lapsus$ was able to maximize its reach by compromising multiple customers via a single attack on a managed service provider. Other recent cyberattacks, including Kaseya, Solar Winds, and Log4J exploitation attempts, are examples of attacks containing a distributed attack vector.

HC3 suggested that healthcare organizations remain on high alert and presented numerous reasons for doing so:

  • When comparing Lapsus$ motivations and tactics to health sector operations, the health sector is within their scope of targeting:
    • They steal data for extortion purposes
    • They target managed service providers
    • Their operations are global, and they look for targets of opportunity
  • While law enforcement has begun pressuring the group and even arresting some alleged members, operations are expected to continue.
    • Other members will very likely continue to operate under the Lapsus$ banner or as part of another group
    • The geographic diversity of this group will make them especially difficult to permanently quash
  • The diversity of their tactics, and their lack of reliance of specific malware variants, make them very difficult to detect or stop.

In addition to learning about the group’s tactics, healthcare organizations should implement multifactor authentication, virtual private networks (VPNs), zero trust security policies, and network segmentation.

As with any other threat group, healthcare organizations can mitigate risk by having a robust security architecture and practicing incident response plans.