LAPSUS$ hacks continue despite two hacker suspects in court

The infamous LAPSUS$ gang, whose curious brand of cyberextortion has been linked with intrusions at Microsoft, Samsung, Okta, Nvidia and others, still seems to be on the boil.

According to Microsoft’s own analysis of the gang’s intrusion at Microsoft itself, these hackers use a range of social engineering techniques that go beyond the usual methods of sweet-talking, cajoling or tricking an innocent victim into giving them a foothold inside the network.

LAPSUS$, tagged with the more serial-number-like code DEV-0537 by Microsoft, are also alleged to use outright bribery, offering to pay insiders to provide them with remote access.

Those insiders, of course, don’t have to be direct employees of the intended victim.

In today’s hugely outsourced IT world, breaking into the computer of a contractor or service provider who themselves has access to the target is enough.

In DEV-0537‘s break-in at two-factor authentication provider Okta, for instance, the intrusion was apparently orchestrated via a third-party company contracted to do technical support for Okta.

As Okta rather curiously insisted after the attack became public, staff at the support company that got hacked were “unable to access users’ passwords”, although this was rather cold comfort considering that the same staff were “able to facilitate the resetting of passwords and multi-factor authentication factors for users.”

Microsoft’s report on the activities of LAPSUS$ revealed a level of arrogance that would be amusing if the stakes were not so high: the company says it was able to stop one of the gang’s data heists half way through because LAPSUS$ members openly bragged on Telegram before they’d even finished the job.

Seven UK arrests

Just over a week ago, City of London police in the UK noted the arrest of several hacking suspects, giving little more away than that seven people aged from 16 to 21 years old had recently been arrested and released under investigation.

Although none of them were named or charged, and although the police didn’t reveal when these arrests had actually happened or what sort of hacking allegations were involved, media stories quickly associated the arrests with LAPSUS$, to the point that you will find a myriad of media headlines talking apparently unequivocally about a “LAPSUS$ bust”.

In the meanwhile, however, LAPSUS$-related cybercrime activities continued with the leak of some 70GBytes of data allegedly purloined from software development company Globant.

Globant itself posted an official warning with the US Securities and Exchange Commission (SEC) stating that “we have recently detected that a limited section of our company’s code repository has been subject to unauthorized access.”

The mystery deepens

The mystery of who, what and where the LAPSUS$ kingpins are located deepened yet further last Friday, when City of London Police noted that two suspects, aged 16 and 17 – presumably two of the seven whose arrest-and-release had been reported earlier – were due in court that morning [2022-04-01]:

Because of the young age of the suspects, neither the public court lists (showing whose hearings are at what times) nor the court hearings themselves (which would usually state their names) ought to give any clues to who they are.

Indeed, as the police press release itself reminds everyone, “automatic reporting restrictions currently apply prohibiting the identification of the name, address, school or any matter likely to identify the individuals.”

All we know is that the City of London Police officially reported the criminal charges the youngsters faced, which came out in legal verbiage as follows.

Both defendants faced:

  • Three counts of unauthorised access to a computer with intent to impair the reliability of data.
  • One count of fraud by false representation.
  • One count of unauthorised access to a computer with intent to hinder access to data.

The younger defendant also faced:

  • One count of causing a computer to perform a function to secure unauthorised access to a program.

What to do?

In a follow-up report, the BBC insists that the suspects were “charged with hacking for a major cyber-crime gang”, explicitly stating in its headline that this gang was, indeed, LAPSUS$.

But few reliable details of who did what to whom under which gang’s “brand” are likely to emerge until the pair return for trial in due course.

In the meantime, whether this really is a LAPSUS$ bust or not is a bit of a red herring.

The key thing to remember is that the LAPSUS$ attacks, along with many others, rely at least in part on ongoing attempts to trick, cajole or bribe insiders into granting remote access.

So, if you don’t already have a fast and simple way for your staff to report security anomalies to your designated in-house security experts (for example, via a standard email account such as security911@yourcompany.example) then create one now.

Crooks like LAPSUS$ don’t just give up if their first attempt to break in fails, so the sooner someone in your company feels empowered to say something, the sooner everyone can be warned and protected.

If no one feels they can say anything, then the crooks get a free pass to try to sneak in over and over again.

Two questions to ask yourself

If you received a dangerous-looking link to click, an unexpected attachment to open, a password request where you didn’t expect it, or a dubious-sounding offer to bribe you to do something insecure, would you know right away where in your company to report it?

And if you’re one of the people who receives reports of that sort, do you treat them promptly and properly even if they turn out to be false alarms, so that your users feel inspired to keep on helping you?

Treat your staff and their cybersecurity concerns with respect and you can turn everyone into the eyes and ears of your security team.

If you don’t have the time or skills in-house, look into a Managed Threat Response (MTR) service that can handle the cybersecurity details you can’t keep up with.


If you don’t have the experience or the time to maintain ongoing threat response by yourself, consider partnering with a service like Sophos Managed Threat Response. We help you take care of the activities you’re struggling to keep up with because of all all the other daily demands that IT dumps on your plate.

Not enough time or staff? Learn more about Sophos Managed Threat Response:
Sophos MTR – Expert Led Response  ▶
24/7 threat hunting, detection, and response  ▶


go top