← threatfilter.dev / all groups / LAPSUS$
LAPSUS$
Also known as: DEV-0537 · Strawberry Tempest
Overview
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.
Capabilities
- Destructive / data-wiping operations — ATT&CK T1485
TTPs — 43 techniques across 13 tactics
Reconnaissance
-
T1589Gather Victim Identity Information -
T1589.001Credentials -
T1589.002Email Addresses -
T1591.002Business Relationships -
T1591.004Identify Roles -
T1593.003Code Repositories -
T1597.002Purchase Technical Data -
T1598.004Spearphishing Voice
Resource Development
-
T1583.003Virtual Private Server -
T1584.002DNS Server -
T1586.002Email Accounts -
T1588.001Malware -
T1588.002Tool
Initial Access
-
T1199Trusted Relationship
Execution
-
T1204User Execution
Persistence
-
T1098.003Additional Cloud Roles -
T1133External Remote Services -
T1136.003Cloud Account
Privilege Escalation
Stealth
-
T1078Valid Accounts -
T1078.004Cloud Accounts -
T1684.001Impersonation
Defense Impairment
-
T1578.002Create Cloud Instance -
T1578.003Delete Cloud Instance
Credential Access
-
T1003.003NTDS -
T1003.006DCSync -
T1111Multi-Factor Authentication Interception -
T1552.008Chat Messages -
T1555.003Credentials from Web Browsers -
T1555.005Password Managers -
T1621Multi-Factor Authentication Request Generation
Discovery
-
T1069.002Domain Groups -
T1087.002Domain Account
Collection
-
T1005Data from Local System -
T1114.003Email Forwarding Rule -
T1213.001Confluence -
T1213.002Sharepoint -
T1213.003Code Repositories -
T1213.005Messaging Applications
Command and Control
-
T1090Proxy
Impact
-
T1485Data Destruction -
T1489Service Stop -
T1531Account Access Removal
Tools & malware (1)
Mimikatz
Reporting (3)
- How Microsoft names threat actors — Microsoft
- LAPSUS: Two UK Teenagers Charged with Hacking for Gang — BBC
- DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction — MSTIC, DART, M365 Defender