← threatfilter.dev / all groups / LAPSUS$

LAPSUS$

Also known as: DEV-0537 · Strawberry Tempest

Overview

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.

Capabilities

Destructive / data-wiping operations — ATT&CK T1485

TTPs — 43 techniques across 13 tactics

Reconnaissance

T1589 Gather Victim Identity Information
T1589.001 Credentials
T1589.002 Email Addresses
T1591.002 Business Relationships
T1591.004 Identify Roles
T1593.003 Code Repositories
T1597.002 Purchase Technical Data
T1598.004 Spearphishing Voice

Resource Development

T1583.003 Virtual Private Server
T1584.002 DNS Server
T1586.002 Email Accounts
T1588.001 Malware
T1588.002 Tool

Initial Access

T1199 Trusted Relationship

Execution

T1204 User Execution

Persistence

Command and Control

T1090 Proxy

Impact

Tools & malware (1)

Mimikatz

Reporting (3)

How Microsoft names threat actors — Microsoft
LAPSUS: Two UK Teenagers Charged with Hacking for Gang — BBC
DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction — MSTIC, DART, M365 Defender

Overview

Capabilities

TTPs — 43 techniques across 13 tactics

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Stealth

Defense Impairment

Credential Access

Discovery

Collection

Command and Control

Impact

Tools & malware (1)

Reporting (3)