Talion is a finalist for Best SIEM Solution

Talion is a finalist for Best SIEM Solution for the 4th year in a row

LAPSUS$ Cyber Attack - Talion

LAPSUS$ breach: Guidance and recommendations


A ransom-seeking group made headlines this week after the news broke that authentication provider Okta had been compromised. A number of breaches have been attributed to this group dubbed ‘LAPSUS$’. The group utilise an extortion and destruction model without deploying ransomware payloads and have been targeting organisations in the United Kingdom and South America, including government, technology, telecom, media, retail, and healthcare sectors.

Reports have since emerged that the British Police arrested several members of the group. Seven people between the ages of 16 and 21 have been arrested so far.

While this group displays amateur working methods, thus far, Microsoft, NVIDIA, Samsung, Vodafone, Ubisoft and, most recently, Okta, have all confirmed breaches linked to the threat group. Unlike other groups, LAPSUS$ are extremely public and do not seem to take precautions to cover their tracks, announcing their attacks on social media, often revealing information on how the group operate.

The group utilise the following tactics:

  • Phone-based social engineering
  • SIM-swapping to facilitate account takeover
  • Accessing personal email accounts of employees at target organisations
  • Paying employees, suppliers, or business partners of target organisations for access to credentials and multifactor authentication (MFA) approval
  • Intruding the ongoing crisis-communication calls of their targets
  • LAPSUS$ also spend time to uncover intimate information about employees, team structures, help desks, crisis response workflows, and supply chain relationships to utilise towards their social engineering tactics, which includes the spamming of a target user with multifactor authentication (MFA) prompts and calling the organisation’s help desk to reset a target’s credentials.

The overall objective of LAPSUS$ is to gain elevated access via stolen credentials that enable data theft and destructive attacks, often resulting in extortion. While the group displays a low level of sophistication, their success rate displays the power of reconnaissance, social engineering and the successful employment of an insider.

Our Threat Intelligence team have observed a notable uptick in groups now recruiting employees to disseminate attacks, including the ransom-your-employer tactic, which has been adopted by Lockbit2.0.

This group’s intense use of social engineering tactics makes user awareness a priority in defence. Our recommendation is to educate your technical team to be observant of any unusual contacts with colleagues and IT help desks should be hypervigilant regarding suspicious users and ensure that they are tracked and reported immediately.

We also recommend reviewing help desk policies for password resets for highly privileged users and executives to take social engineering into consideration.

Teach employees about help desk verification practices, encouraging users to report suspicious or unusual contact from the help desk

Additionally, a robust MFA implementation is crucial towards defending against The LAPSUS$ group. Weak MFA, such as text messaged based MFA is not effective due to their use of SIM swapping. MFA should be implemented for all users coming from all locations including perceived trusted environments, and all internet-facing infrastructure–even those coming from on-premises systems.

For more information on emerging threats and cyber-criminal activity, subscribe to our Threat Set Radio Podcast for weekly updates and insights.

Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
Watch demo video
We’re a tight-knit, highly skilled operation, so when a threat arises, we move quickly.
24x7x365 UK-based Security Operations Centre
Service underpinned by market leading threat intelligence team
Continually developed threat relevant content, backed by SLAs
MDR service has featured in the Gartner Magic Quadrant for 6 consecutive years
Experts in SIEM and SOAR technology
UK-based Senior Leadership
Looking to maximise value and flexibility?
Learn how Talion and DEVO partner to achieve this.
Discuss your cyber security needs
Contact us below and one of our team will be in touch to answer your questions.

Call us on 0800 048 5775

Call us directly and we’ll put you in touch with the most relevant cyber expert.

Get In Touch With Us

Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.