In the past few weeks, the Lapsus$ threat group captured the security community’s attention with a series of brazen and controversial cyber attacks against some of the world’s largest organizations, including Microsoft, Okta, and Samsung. These attacks resulted in sensitive data being leaked on their Telegram channel, thus granting the group a significant notoriety boost in the cybercriminal community.

In our recent blog titled “Meet Lapsus$: An Unusual Group In The Cyber Extortion Business”, our analysts described how this group emerged in December 2021 and how they conducted their criminal operations. Lapsus$ initially appeared to be financially-motivated and solely focused on Latin American organizations; however, they swiftly changed their tactics in the early weeks of January and began targeting global corporations on an unprecedented scale.

After studying this group’s activity for the past few months, we began to question our assumptions on what was motivating Lapsus$. Is it possible that money isn’t Lapsus$’s main drive? Are we observing a false flag operation orchestrated from a foreign power? What might be the factors driving this group to behave in such an unpredictable way?

To answer these questions, I organized a Structured Analytic Technique (SAT) exercise for our own Photon Intelligence Team, permitting a deep dive into this group’s activity and reviewing our assumptions in a critical and organized manner. Keep reading the blog to learn about the key findings stemming from this exercise!

How do you Choose the Right Technique?

A classic SAT definition states that these techniques are “mechanisms by which internal thought processes are externalized in a systematic and transparent manner so that they can be shared, built on, and easily critiqued by others.” In essence, these exercises can support professionals in limiting their cognitive biases, review the available evidence, and address the problems associated with unaddressed assumptions.

Right now, there are dozens of SATs you can choose from when deciding how to best tackle a certain analytical problem. SATs are divided into six categories based on their main objective: organization, exploration, diagnosys, reframing, foresight, and decision support. Identifying the right technique that fits your team’s needs is crucial to ensure that the exercise returns the information you’re seeking and offsets the cognitive biases you’re worried about.

Given that our intelligence requirement was based on reassessing our initial assumptions and reviewing the evidence available, I started looking for an SAT that would help our analysts to diagnose and reframe our perspective on Lapsus$’s motivations. After evaluating our needs, capabilities, and time constraints, I’ve picked an SAT called “Team A/Team B” to accomplish our goals.

Team A/Team B: How Does it Work?

This technique is a contrarian technique that opposes two (or more) views or competing hypotheses about a specific phenomenon. This approach can help opposing teams to recognize the merit in the other group’s perspective while giving equal attention to both sides. For this reason, this SAT exercise can even end up narrowing down the difference between the two opposing views, thus granting a more comprehensive and nuanced perspective on the studied subject.

But how does this work in practice? The first thing I did was create the two teams while being mindful of balancing their area of expertise, their soft skills, and other internal factors. Subsequently, one captain from each team was selected to represent their team’s point of view and provide a presentation on the day of the exercise. Finally, I created a small jury whose main task was to question the presentations’ robustness and provide further research directions during the exercise. 

On the day of the exercise, the two teams came armed with their glorious slides and an army of memes to discuss their findings and hypotheses. This is another key point that I’d like to make: SATs are a powerful analytical tool but they’re also an outstanding team building exercise that doesn’t need to weigh on your analysts’ shoulders too much. Try and make it fun and interactive, the result will be even better!

Team A: Is Lapsus$ Financially-Motivated?

One of the key points identified by Team A—which supported the idea that Lapsus$ is a financially-motivated threat group— is that a significant part of its observed activity is consistent with other cybercriminal groups. Gaining access to their victims’ networks and then threatening them to release sensitive data is a common tactic shared with notorious ransomware groups, such as Conti, LockBit, and other cyber extortionists. Additionally, in a post on their Telegram channel, Lapsus$ actually stated they would be only driven by profit, and to have no political inclinations whatsoever . However cybercriminals’ words should always be taken with a pinch of salt, and the statement has been contradicted by additional posts made by the group. 

Some questions remain open though. Why haven’t we seen any evidence of ransomware being deployed on their victims? And most importantly, why is there no evidence of any financial transaction being paid from their victims? Observing Lapsus$’s way of communicating with its followers via their Telegram channel, the group appears to be pretty confident and often brags about their successes. Why have they never communicated any ransom received? These questions remain unanswered and fuel the hypothesis that there may be more to this group than just money.

There had to be at least one Oscar Slap™ meme in there

Team B: Is Lapsus$ Politically- or Ideologically-Motivated?

After reviewing the evidence presented by Team A, the second team delivered a brilliant presentation trying to convince the rest of the attendees that Lapsus$ is primarily motivated by political or ideological reasons.

The main point put forward by Team B is that we haven’t observed any evidence of a payment directed at Lapsus$—this is a highly unusual observation when compared to other financially-motivated cybercriminals. On top of that, some of the tactics used by Lapsus$ indicate that spreading chaos and causing disruption may be this group’s primary motivations. These actions may well be in line with politically or ideologically-motivated threat groups aiming to damage the reputation of their victims. Some examples include the release of stolen data before any negotiation is put in place with their victims, as well as their use of a Telegram channel to interact with their followers and expand their communication reach.

However, Team B also had to deal with their own lack of evidence. Maybe we don’t have concrete evidence on Lapsus$ being financially-motivated, but we also can’t guarantee that they’re doing these attacks for political or ideological reasons. Sometimes the lack of evidence is just as important as the evidence itself. For this reason, the discussion stemming from the two presentations paved the way for a third possibility that may explain Lapsus$’s actions: the “lulz”.

The Third Way: Doing it for the Lulz

After reviewing all the intelligence available on Lapsus$ and critically questioning our own assumptions on their motivations, the two teams narrowed their distance and started discussing a third possibility. Lapsus$ didn’t really seem to fit in any of the traditional boxes we use to categorize threat actors. So what if these cybercriminals are mainly moved by an irreverent desire to make fun of their victims and expand their reputation in the criminal world?

After all, we know for a fact that prestige and notoriety are key factors for cybercriminals. Several of the tactics observed in this group seem to align with this possibility. The derisive use of their Telegram channel to ridicule their victims—in addition to picking the next victim by interacting with their followers—suggest an attitude towards overt actions that result in additional “noise” and publicity for their threat group. Lapsus$ has also been observed zoombombing the calls of incident responders working for their victims, in a further attempt to poke fun and make mischief for their targets.

If this hypothesis is confirmed by future Lapsus$’s activity, it will potentially even expand the threat posed by this group. By being opportunistic and somewhat irrational in their victim targeting, Lapsus$’s next move is potentially more difficult to forecast as the group seems to escape any traditional categorization. 

Conclusion

Attribution is undoubtedly one of the most complex endeavors that any cyber threat intelligence teams can attempt to do. Having limited visibility into the internal workings of a group requires security teams to be creative and rigorous at the same time in order to connect the dots. However, understanding the motivations and capabilities of threat groups can go a long way in supporting defensive strategies.

An overview of Lapsus$ from Digital Shadows (now ReliaQuest)’ threat intelligence portal

Structured Analytic Techniques like Team A/Team B represent an excellent occasion for intelligence and security teams to get together and reason around complex issues in a structured and rigorous manner. 

The blog you just read is a summary of the discussion we had in the office. If you want to know more about this exercise, make sure to check this ShadowTalk episode where we go through the discussion and findings of this SAT.

That’s not enough? If you’re now interested in monitoring how the Photon Intelligence Team is tracking Lapsus$ and other threat groups, take a seven day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here, or sign up for a demo.