Beginning in late 2021 and continuing late into 2022, a globally active, extortion-focused cyber threat actor group called Lapsus$ attacked dozens of well-known companies and government agencies around the world.
It penetrated corporate networks, stole source code, and then demanded ransoms.
In a newly released report by the US Government on Thursday, it was discovered that group relied primarily on Sim Swapping to carry out their attacks.
By all indications the hacking group was very creative and developed several new techniques that will now become standard in the hackers playbook.
Lapsus$ Was Prolific Data Stealers That Demanded Ransom
Lapsus$ was a hacking group that was active since 2019, and whose mastermind is rumored to be a 16-year-old teenager from Oxford, England.
The group of between 8-10 hackers were based all over the world and they focused on infiltrating companies systems and stealing data. Then they would demand a ransom to not release that data.
Their most famous attack was on the US Department of Defense in 2020 but the group also hit Microsoft, Cisco, Nvidia, T-Mobile, Samsung, Uber and Vodofone.
They Targeted Telecom Providers To Enable Sim Swapping
Knowing that employees are often the weakest link to any companies security, the group was highly specialized and effective in targeting key employees of the companies so they could gain access.
And what they wanted was access to employees phones and sign on’s to VPN’s to get systems access.
According to the government report, they focused on getting access to employees by Sim Swapping their phones so they could intercept One Time Passcodes and gain access to the company networks.
To perpetrate those Sim Swaps, they went straight to the Telecom providers and did two interesting things;
#1 They Used Emergency Disclosure Request
To obtain confidential information about their victim (name, phone number, customer proprietary network information), the hackers used fraudulent emergency disclosure requests (EDRs) by pretending to be an official or law enforcement officer.
EDR forms give a police officer the ability to get account information from a company if they believe that there is an imminent threat of death or grave danger to the person.
Once they received the information, they would go to work on taking over the victims accounts.
#2 – They Recruited Industry Insiders At Telecom Providers To Enable Sim Swapping
During the government research, the investigators also found that the group paid as much as $20,000 per week to access a telecommunications provider’s platform and perform SIM swaps.
They even advertised on Telegram, recruiting industry insiders to provide access to their systems which would give them unlimited access to Sim Swap phones
You can check out this advertisement here where they are willing to pay employees for access to VPN or Citrix.
Insider Access At Telecom Providers Is Extremely Popular
Accessing insiders at Telecom providers is now an industry standard for hackers.
In fact, the recruitment of Insiders has extended into almost every major company in the US since it has been so successful in providing unfettered access to sensitive information.
The Hackers Activity Abruptly Ended In 2022 After Arrest Were Made
The group was prolific and damaging however in March of 2022 all activity of the group ended. The City of London police reportedly arrested 7 members of the group including the 16 year old mastermind.
After those arrest, the hackers Telegram Channel indicated that several members of the team had gone on vacation.
It looks like they might be quiet for some time, but their cutting edge techniques will likely be used for long into the future.
Read The Government Report
You can read the whole report here