The Health Sector Cybersecurity Coordination Center released a threat brief on Thursday about a recently discovered cyber threat group known as Lapsus$.
The group, described as “effective, but also unprofessional and careless,” is possibly composed of teenagers and young adults, said HC3.
“They have successfully targeted several high-profile organizations to completion,” said the agency. “Due to the diversity of their techniques, there is no single set of effective defenses or mitigations.”
WHY IT MATTERS
According to the agency brief, Lapsus$ was first identified around April 2020.
The motives of their members – believed to be from Portugal and Latin America – include financial gain, destruction and notoriety, said HC3.
The group relies heavily on bribery and non-ransomware extortion, frequently using credential theft, multi-factor authentication bypass, social engineering, managed service provider compromise, SIM-swapping, personal email account access, bribery and self-injection into ongoing crisis-communication calls of targets.
The group has recently targeted the Brazilian Ministry of Health, along with Nvidia, Samsung, Ubisoft, Vodafone, Microsoft, LG, Okta and Globant.
HC3 zoomed in on the Okta incident, saying that the identity management service provider had its internal resources posted on the Lapsus$ Telegram channel in January.
The company said that about 366 of its customers were exposed, making up 3.5% of its base. Puzzlingly, “there has yet to be any publicly known impacts to this attack,” said HC3.
However, it said, “HC3 is aware of healthcare organizations that were compromised in this attack.”
This past month, Microsoft also announced it had interrupted source code exfiltration by Lapsus$.
Microsoft said the group had gained limited access to the infrastructure and that a code leakage would have not led to a risk increase.
“The Lapsus$ members apparently fell asleep during the download,” said HC3.
The U.S. Federal Bureau of Investigation is looking for assistance in identifying Lapsus$ members.
On March 25, London police announced that they had arrested seven alleged members, including a 16-year-old from Oxford accused of being the leader.
“Ironically, members of a doxxing site who were frustrated because their information was leaked,” explained HC3, in turn leaked information about the site’s owner and administrator.
This, said the agency, “is what ultimately led to the arrests.”
Still, HC3 said, “While law enforcement has began pressuring the group and even arresting some alleged members, operations are expected to continue.”
THE LARGER TREND
HC3 has issued several warnings regarding cyber threat groups over the past six months, including LockBit and BlackMatter (since rumored to have shut down).
By far the most headline-grabbing warnings from the government, however, have concerned Russia, particularly regarding its invasion of Ukraine.
In February, the Cybersecurity and Infrastructure Security Agency released a bulletin drawing attention to the country and warning organizations to keep “shields up” to defend against cyber threats.
A month later, President Joe Biden issued his own warning, urging critical infrastructure organizations including healthcare to prepare themselves.
“Most of America’s critical infrastructure is owned and operated by the private sector, and critical infrastructure owners and operators must accelerate efforts to lock their digital doors,” said the president’s memo.
ON THE RECORD
“The geographic diversity of this group will make them especially difficult to permanently quash,” said HC3 about Lapsus$.
“The diversity of their tactics, and their lack of reliance [on] specific malware variants, make them very difficult to detect or stop,” it continued. “They have already compromised healthcare organizations and have no reason to stop.”
Kat Jercich is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS Media publication.