Executive Summary

Threat intelligence reports indicate that the Lapsus$ extortion group, which was significantly disrupted in 2022, has reformed and is active once again. This new iteration of the group appears to have evolved, incorporating tactics and techniques from other criminal syndicates. The primary shift in their methodology is a move towards more sophisticated identity-based extortion schemes. Rather than relying solely on data theft and leaking, the resurgent group is leveraging compromised employee identities to conduct more subtle, persistent, and damaging attacks. This evolution makes detection more challenging and raises the threat level for large enterprises, particularly in the technology sector.

Threat Overview

The original Lapsus$ group was infamous for its brazen attacks against major companies like Microsoft, Nvidia, and Okta. Their TTPs included a unique blend of social engineering, SIM swapping, and paying insiders for access. The group's primary goal was extortion, threatening to leak stolen source code and data if their demands were not met.

This new report suggests that the group's core members or affiliates have regrouped. The key evolution is the integration of techniques from other criminal operations and a refined focus on identity. This could mean they are moving beyond simple credential theft to more advanced forms of identity compromise, such as:

• Manipulating SSO and federation services.
• Abusing compromised identities to create persistent backdoors.
• Targeting identity and access management (IAM) infrastructure directly.

By focusing on identity, the group can achieve deeper and more persistent access, making their extortion threats more potent.

Technical Analysis

While specific TTPs of the new group are still emerging, they are likely building upon their old playbook with new enhancements.

Lapsus$ MITRE ATT&CK Mapping (Historical & Evolved)

• T1589 - Gather Victim Identity Information: The core of their new focus. This includes gathering information on employees, their roles, and access levels.
• T1656 - Impersonation: Using compromised identities to socially engineer help desks or other employees.
• T1078 - Valid Accounts: Abusing stolen credentials, a hallmark of the original group.
• T1621 - Multi-Factor Authentication Request Generation: The infamous "MFA fatigue" or "MFA bombing" attack, where they spam a user with push notifications until one is approved by mistake.
• T1111 - Two-Factor Authentication Interception: Historically achieved through SIM swapping.

Impact Assessment

The resurgence of an advanced group like Lapsus$ poses a significant threat. Their proven ability to breach well-defended, major technology companies demonstrates their skill and determination. An identity-focused approach increases the potential impact, as it can lead to a complete takeover of an individual's corporate access, allowing for subtle data exfiltration, source code manipulation, and sabotage over a long period. The financial and reputational damage from a successful attack by this group can be immense.

Detection & Response

• Identity Threat Detection and Response (ITDR): Deploy solutions that monitor for anomalous identity behavior, such as unusual MFA activity, suspicious privilege escalations, or access from unfamiliar locations.
• Help Desk Monitoring: Train and equip IT help desk staff to recognize social engineering attempts. Implement strict identity verification procedures for all password reset or MFA device change requests.
• MFA Log Analysis: Monitor MFA logs for signs of MFA fatigue attacks (i.e., multiple MFA pushes in a short time for a single user without a corresponding login attempt).
• D3FEND Techniques: Utilize D3-UBA: User Behavior Analysis to baseline normal identity behavior and alert on deviations that could indicate a compromised account.

Mitigation

• Phishing-Resistant MFA: The most effective defense against many of Lapsus$'s techniques (MFA fatigue, SIM swapping) is to deploy phishing-resistant MFA, such as FIDO2 security keys. This is a critical application of M1032 - Multi-factor Authentication.
• Insider Threat Program: Develop a formal insider threat program to detect and deter employees from selling access to threat groups.
• Strengthen Help Desk Processes: Remove the help desk as a weak link by implementing strong, multi-channel verification for any sensitive account actions.
• Limit Access for New Employees/Devices: Implement policies that grant reduced access for a set period for new employees or when a user logs in from a new device, limiting the immediate impact of a compromised account.