LAPSUS$

Active

Also known as: LAPSUS$, DEV-0537, Strawberry Tempest

🌍

Other

Active Since

2022

MITRE ID

G1004

Techniques

[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)

MITRE ATT&CK Techniques

Recon8

T1591.002Business Relationships

T1593.003Code Repositories

T1589.001Credentials

T1589.002Email Addresses

T1589Gather Victim Identity Information

T1591.004Identify Roles

T1597.002Purchase Technical Data

T1598.004Spearphishing Voice

Resource5

T1584.002DNS Server

T1586.002Email Accounts

T1588.001Malware

T1588.002Tool

T1583.003Virtual Private Server

Initial1

T1199Trusted Relationship

Exec1

T1204User Execution

Persist3

T1098.003Additional Cloud Roles

T1136.003Cloud Account

T1133External Remote Services

PrivEsc1

T1068Exploitation for Privilege Escalation

Defense5

T1078.004Cloud Accounts

T1578.002Create Cloud Instance

T1578.003Delete Cloud Instance

T1656Impersonation

T1078Valid Accounts

Creds7

T1552.008Chat Messages

T1555.003Credentials from Web Browsers

T1003.006DCSync

T1111Multi-Factor Authentication Interception

T1621Multi-Factor Authentication Request Generation

T1003.003NTDS

T1555.005Password Managers

Discovery2

T1087.002Domain Account

T1069.002Domain Groups

Lateral0

Collect6

T1213.003Code Repositories

T1213.001Confluence

T1005Data from Local System

T1114.003Email Forwarding Rule

T1213.005Messaging Applications

T1213.002Sharepoint

C21

T1090Proxy

Exfil0

Impact3

T1531Account Access Removal

T1485Data Destruction

T1489Service Stop

Known Victims

live · just now

No victims recorded in ransomware.live for this group.