A new report by the NCC Group has revealed how Lapsus$ attacks are launched. The report discloses details regarding the techniques and tactics of the highly unpredictable attacks and how the group targets its victims.

Analyzing Lapsus$ attacks

In the last five months, Lapsus$ gained notoriety with successful breaches of Microsoft, Nvidia, Okta, and Samsung. 
  • In one case the Lapsus$ group employed nothing more than the genuine Sysinternals tool ADExplorer that was used to carry out reconnaissance on the victim's environment. 
  • The group used stolen authentication cookies used for SSO apps to initially get inside victims' systems and scraped Microsoft SharePoint sites to find credentials within technical documentation.

Common tactics

The Lapsus$ group gains access to local password managers and databases to acquire credentials and escalate privileges. 
  • Instead of stealing personal information, Lapsus$ focuses on taking source code and intellectual property. Additionally, the group clones git repositories and extract sensitive API keys.
  • After the data is stolen, the group disrupts and destroys cloud environments, specifically targeting on-premises VMware ESXi infrastructure to hide its tracks.
  • Moreover, the researchers have observed mass deletion of VMs, storage, and configurations in cloud environments to make it harder for victims to restore and investigation teams to conduct analysis.

A brief about Lapsus$

Lapsus$ first appeared in December 2021. However, the NCC Group observed the group months before, during an incident response engagement. Further, the report claims that the group was active even before it was working under the banner of the Lapsus$ group.
  • The motivation behind these attacks seems to be gaining money and a reputation on the dark web.
  • Privileged escalation and credential harvesting are key components of Lapsus$ breaches. 
  • Additionally, the major objective of the attackers seems to be the exploitation of corporate VPNs.


Lapsus$ seems to be heavily focused on application source code or proprietary information. Thus, the report suggests various recommendations to fend off such threats, including logging for cloud computing environments, using MFA for user authentication, and restricting unwanted access to sensitive data.

Cyware Publisher