Brazilian police launch investigation targeting Lapsus$ group
Brazil’s Federal Police carried out eight search and seizure warrants Tuesday as part of an investigation into attacks claimed by the Lapsus$ Group that disrupted the country’s Ministry of Health last December, the agency announced in a press release.
Police did not specifically name Lapsus$ Group in the announcement. However, the details described line up with the Lapsus$ Group attack and the agency wrote that the investigation connected the attacks to a “transnational criminal organization” focused on cybercrime “targeting public and private entities in Brazil, the United States, Portugal and Colombia.”
In addition to the Ministry of Health, Brazilian police wrote, the attacker infiltrated nine other local entities — including the Ministry of the Economy and the National Electric Energy Agency.
The Ministry of Health website displayed a message directing the agency to Lapsus$ Group for their data during the attack, Reuters reported, and updates related to the incident were posted to the group’s Telegram channel.
The apparent attempt at extortion was the first attack the group publicly took credit for. But in the coming months, Lapsus$ claimed responsibility for a string of breaches — including ones at Microsoft, chipmaker Nvidia, and single sign-on provider Okta.
The group used a variety of different techniques to carry out its attacks.
“Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft wrote, following its breach investigation.
The group also seemed to behave erratically — seeking publicity and posting to recruiting insiders with access to upcoming targets, Microsoft noted.
Some alleged members of the group were soon reported to be teenagers — including one in Oxford who was doxxed in an episode of hacker drama, according to Bloomberg. U.K. law enforcement arrested seven people, ages ranging from 16 to 21, in March for alleged involvement in the Lapsus$ Group.
The group continued to post for several days after the arrests, including about a data breach at Globant and an apparent joke about some of its members going on vacation. However, its public Telegram channel has been silent since late March. The Federal Police declined to comment on the operation beyond the information in the press release.
Andrea Peterson (they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.