CrowdStrike Fires Insider for Leaking Screenshots to 'Scattered Lapsus$ Hunters' Hacking Group

CrowdStrike Confirms Termination of Employee for Leaking Internal Information to Cybercrime Group

MEDIUM
November 22, 2025
5m read
Incident ResponseThreat ActorSecurity Operations

Related Entities

Threat Actors

Scattered Lapsus$ HuntersShinyHunters

Organizations

CrowdStrike

Products & Tech

Okta

MITRE ATT&CK Techniques

T1078Initial Access

Valid Accounts

T1113Collection

Screen Capture

T1539Credential Access

Steal Web Session Cookie

T1041Exfiltration

Exfiltration Over C2 Channel

Full Report

Executive Summary

Leading cybersecurity firm CrowdStrike announced it identified and terminated a malicious insider who was leaking internal information to the Scattered Lapsus$ Hunters cybercrime group. The incident became public after the threat actors posted screenshots of what appeared to be CrowdStrike's internal Okta identity management dashboard on their Telegram channel. CrowdStrike asserts that its internal investigation caught the employee's activity, their access was terminated, and the leak was limited to screenshots of their own computer screen. The company emphasized that its corporate network was not compromised, no customer data was affected, and the matter has been referred to law enforcement. This incident underscores the significant and ongoing challenge of insider threats, even for the most security-conscious organizations.

Incident Overview

The incident represents a classic case of a malicious insider threat, where a trusted employee intentionally exfiltrates company data for personal gain or at the behest of an external party. The Scattered Lapsus$ Hunters group, a known entity with ties to ShinyHunters, attempted to frame the leak as a successful network intrusion stemming from their recent Gainsight supply chain attack. However, CrowdStrike has explicitly denied this connection, stating the company was not affected by the Gainsight issue and that this was a separate, contained insider case.

According to claims from the hackers, they allegedly offered the CrowdStrike employee $25,000 in exchange for network access. The employee reportedly provided SSO authentication cookies, but CrowdStrike's internal security team had already detected the suspicious activity and terminated the employee's access before any deeper compromise could be achieved. The public posting of the screenshots was likely an act of retaliation or an attempt by the group to save face after their attempt to gain deeper access was thwarted.

Technical Analysis

The primary technique employed was T1078 - Valid Accounts, as the employee used their own legitimate credentials to access internal systems.

  • Initial Contact: The threat actors likely made contact with the employee through social media or other channels, offering financial incentive for internal access (T1598.003 - Phishing for Information: Spearphishing via Service).
  • Data Collection: The insider used their authorized access to navigate to sensitive internal dashboards, such as the Okta administration panel.
  • Exfiltration: The method of exfiltration was simple and low-tech: taking screenshots of the screen (T1113 - Screen Capture). This method can bypass many traditional Data Loss Prevention (DLP) controls that look for file transfers.
  • Attempted Escalation: The employee allegedly attempted to exfiltrate SSO authentication cookies (T1539 - Steal Web Session Cookie). However, CrowdStrike's detection and response capabilities prevented the threat actors from successfully using these cookies.

CrowdStrike's successful detection likely relied on a combination of User and Entity Behavior Analytics (UEBA) and proactive monitoring of privileged systems.

Impact Assessment

While CrowdStrike successfully contained the incident and prevented a network breach, the event still carries consequences:

  • Reputational Impact: As a leader in cybersecurity, any security incident, even a contained one, can affect public perception. However, the company's transparent communication and effective response may also be seen as a sign of a mature security program.
  • Internal Security Review: The incident will necessitate a thorough review of internal access controls, employee screening processes, and insider threat detection capabilities.
  • Validation of Insider Threat Programs: This event serves as a powerful real-world example for all organizations, demonstrating that technical controls alone are insufficient. A robust insider threat program that combines technical monitoring with HR processes and employee awareness is essential.

Crucially, CrowdStrike has affirmed that no customer data was impacted and its core services were not compromised.

IOCs

No technical IOCs are associated with this incident, as it was an insider threat action rather than an external intrusion with specific malware or infrastructure.

Cyber Observables for Detection

Detecting insider threats requires monitoring user behavior for deviations from the norm.

Type Value Description Context Confidence
user_account_pattern Access to sensitive systems outside of work hours An employee accessing privileged dashboards like Okta admin panels at unusual times. SIEM, UEBA medium
command_line_pattern High frequency of screenshot commands On managed endpoints, a spike in the use of screenshot tools or APIs could be an indicator. EDR, Host-based monitoring low
network_traffic_pattern Uploads to personal cloud storage/webmail An employee uploading internal screenshots or documents to non-corporate destinations. DLP, CASB, Network Security Monitoring high
log_source Okta System Log Look for unusual administrative actions, or a user accessing the audit logs to try and cover their tracks. SIEM, Okta Admin Console high

Detection & Response

CrowdStrike's handling of the incident provides a model for effective insider threat response.

  1. Detection: Implement a User and Entity Behavior Analytics (UEBA) solution to baseline normal user activity and flag anomalies. This is the core of D3-UBA: User Behavior Analysis. Monitor for employees accessing data or systems unrelated to their job function, accessing systems at odd hours, or attempting large data transfers.

  2. Investigation: When an anomaly is detected, a discreet investigation should be launched in coordination with HR and legal teams.

  3. Containment: Once malicious intent is confirmed, immediately terminate all of the insider's access to corporate systems, including disabling their accounts and revoking all active sessions. This is a form of D3-UA: User Account Disablement.

  4. Forensics: Preserve the employee's devices and logs for forensic analysis to determine the full scope of their actions and what data was exfiltrated.

Mitigation

Mitigating insider threats requires a holistic program that addresses technology, processes, and people.

  • Principle of Least Privilege: Strictly enforce least privilege access. Employees should only have the minimum level of access required to perform their job duties. Regularly review and recertify privileged access. This aligns with D3-UAP: User Account Permissions.
  • Data Loss Prevention (DLP): Deploy endpoint and network DLP solutions to monitor and block the exfiltration of sensitive data, including rules that can detect and block screenshots of sensitive applications.
  • Employee Screening and Monitoring: Implement thorough background checks during hiring and periodic rescreening for employees in high-trust roles. Foster a positive work environment to reduce the likelihood of disgruntled employees.
  • Security Awareness Training: Train employees on their responsibilities for protecting company data and the consequences of insider threats. Provide clear channels for reporting suspicious behavior.

Timeline of Events

1
November 22, 2025
This article was published

MITRE ATT&CK Mitigations

Privileged Account Management

M1026enterprise

Enforce the principle of least privilege and regularly audit access to sensitive systems.

Mapped D3FEND Techniques:

D3-DAMD3-LAMD3-SPP

Behavior Prevention on Endpoint

M1040enterprise

Use User and Entity Behavior Analytics (UEBA) to detect anomalous activity.

Mapped D3FEND Techniques:

D3-ANETD3-AZETD3-JFAPAD3-RAPAD3-SDAD3-UDTAD3-UGLPAD3-WSAA

Data Loss Prevention

M0953enterprise

Implement DLP rules to detect and block the exfiltration of sensitive information, including screenshots.

D3FEND Defensive Countermeasures

Job Function Access Pattern Analysis

D3-JFAPAMaps to MITREM1040
D3FEND

To detect a malicious insider like the one at CrowdStrike, organizations must employ Job Function Access Pattern Analysis, a core component of modern UEBA platforms. This technique involves establishing a detailed baseline of what systems, applications, and data each employee (or role) typically accesses to perform their job. For example, a sales employee's baseline would include accessing Salesforce, while an engineer's might include accessing Jira and GitLab. The system should then be configured to generate a high-priority alert when a user deviates significantly from this baseline. In the CrowdStrike case, an alert would have been triggered when the employee, whatever their role, began accessing the Okta administrative dashboard if that was not part of their normal duties. This behavioral approach is crucial for catching insiders who are using their legitimate credentials, as traditional signature-based tools will see nothing wrong.

User Account Permissions

D3-UAPMaps to MITREM1015
D3FEND

The principle of least privilege is the foundational preventative countermeasure against insider threats. The fact that the employee was able to access and screenshot an Okta dashboard suggests a potential gap in access controls. Organizations must rigorously enforce least privilege for all accounts. Access to sensitive administrative consoles like Okta should be restricted to a very small number of authorized administrators. Furthermore, just-in-time (JIT) access controls should be used, where administrators must explicitly request temporary elevated privileges to perform a specific task, and all actions are logged. This eliminates standing privileged access, drastically reducing the window of opportunity for a malicious insider. Regular access reviews (e.g., quarterly) must be conducted to ensure that permissions have not 'crept' up over time and to remove any access that is no longer required for an employee's role.

Sources & References

CrowdStrike denies breach after insider sent internal screenshots to hackers
Security Affairs (securityaffairs.com) November 21, 2025
CrowdStrike catches insider feeding information to ScatteredLapsus$Hunters
DataBreaches.Net (databreaches.net) November 21, 2025
CrowdStrike Fires Worker Over Insider Leak to Scattered Lapsus Hunters
HackRead (hackread.com) November 22, 2025
CrowdStrike fires insider who leaked data to hacker group | The Tech Buzz
The Tech Buzz (thetechbuzz.net) November 21, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Insider ThreatCrowdStrikeScattered Lapsus$ HuntersOktaData LeakIncident Response

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next