AI Draft UNKNOWN

LAPSUS$

Also known as: DEV-0537, Strawberry Tempest

Affiliation Cybercriminal

Motivation Extortion / Data Theft

Status unknown

Country Unknown

First Seen 2021

Last Seen 2022

Target Sectors Technology, Telecommunications, Government, Media, Retail, Healthcare

Target Geographies International

Executive Summary

LAPSUS$ was a loosely organized cybercriminal extortion group associated with identity-focused intrusions, data theft, social engineering, and public pressure through online channels. CISA: Review Of The Attacks Associated with LAPSUS$ And Related Threat Groups Report published the Cyber Safety Review Board’s review of LAPSUS$ and related groups in August 2023.

Microsoft Security: DEV-0537 criminal actor targeting organizations for data exfiltration and destruction tracks the activity as DEV-0537 and later Strawberry Tempest. Microsoft reported that the actor used a pure extortion and destruction model without deploying ransomware payloads, targeting organizations across government, technology, telecom, media, retail, healthcare, and other sectors.

Notable Campaigns

The CSRB report focused on attacks associated with LAPSUS$ and related threat groups during the 2021-2022 period. The Board described LAPSUS$ as operating against a broader criminal ecosystem and noted that the group used public channels, including Telegram, to discuss operations and pressure victims.

Microsoft reported in March 2022 that DEV-0537 had accelerated activity against multiple organizations, with Microsoft teams conducting detection, customer notification, threat intelligence briefings, and industry coordination. Microsoft also reported that the actor publicly announced attacks on social media and advertised interest in buying credentials from employees of target organizations.

Technical Capabilities

LAPSUS$ and related groups relied heavily on identity and social-engineering tradecraft. Microsoft reported tactics including phone-based social engineering, SIM swapping, access to personal email accounts, payment offers to employees or suppliers for credentials and MFA approval, and intrusion into target crisis-communication calls. The CSRB report similarly emphasized identity and access management weaknesses, telecommunications-provider weaknesses, and outsourced support relationships.

Microsoft reported that DEV-0537 used stolen credentials and session tokens to access internet-facing systems such as VPN, RDP, VDI, and identity-provider platforms. The actor also used MFA prompt abuse, session token replay, repository and collaboration-platform searches for credentials, AD Explorer, Mimikatz, and ntdsutil during intrusions described by Microsoft.

Attribution

The CSRB described LAPSUS$ as a loosely organized transnational threat actor group. It stated that the Board received no evidence suggesting that LAPSUS$ was affiliated with a nation-state or political entity, and it avoided definitive attribution for all attacks associated with the activity set.

Public reporting reviewed by the CSRB indicated that some perpetrators were teenagers and that law enforcement and juvenile cybercrime prevention were relevant response considerations.

MITRE ATT&CK Profile

T1078 - Valid Accounts: Microsoft reported DEV-0537 use of stolen credentials and session tokens to access VPN, RDP, VDI, and identity-provider systems.

T1621 - Multi-Factor Authentication Request Generation: Microsoft and the CSRB reported MFA prompt abuse, including repeated prompts intended to obtain user approval.

T1539 - Steal Web Session Cookie: Microsoft reported use of session token replay and stolen session tokens to satisfy access requirements.

T1589 - Gather Victim Identity Information: Microsoft reported that DEV-0537 gathered information about employees, help desks, workflows, and business relationships before social-engineering attempts.

T1114.002 - Remote Email Collection: Microsoft reported access to personal email accounts and account-recovery paths as part of identity-focused intrusion activity.

T1485 - Data Destruction: Microsoft described DEV-0537 activity as including destructive elements and a model focused on data exfiltration and destruction.