{ "id": "b49d1d09-4086-4672-af50-aac94e0ffc8e", "created_at": "2026-04-06T01:29:54.17241Z", "updated_at": "2026-04-10T03:28:46.825025Z", "deleted_at": null, "sha1_hash": "4efd2fc744f39f0567a0dc7e1758549e5840d0ad", "title": "Brazilian police launch investigation targeting Lapsus$ group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 305630, "plain_text": "Brazilian police launch investigation targeting Lapsus$ group\r\nBy Andrea Peterson\r\nPublished: 2023-01-11 · Archived: 2026-04-06 00:53:06 UTC\r\nBrazil’s Federal Police carried out eight search and seizure warrants Tuesday as part of an investigation into\r\nattacks claimed by the Lapsus$ Group that disrupted the country’s Ministry of Health last December, the agency\r\nannounced in a press release. \r\nPolice did not specifically name Lapsus$ Group in the announcement. However, the details described line up with\r\nthe Lapsus$ Group attack and the agency wrote that the investigation connected the attacks to a “transnational\r\ncriminal organization” focused on cybercrime “targeting public and private entities in Brazil, the United States,\r\nPortugal and Colombia.”\r\nIn addition to the Ministry of Health, Brazilian police wrote, the attacker infiltrated nine other local entities —\r\nincluding the Ministry of the Economy and the National Electric Energy Agency. \r\nThe Ministry of Health website displayed a message directing the agency to Lapsus$ Group for their data during\r\nthe attack, Reuters reported, and updates related to the incident were posted to the group’s Telegram channel.\r\nThe apparent attempt at extortion was the first attack the group publicly took credit for. But in the coming months,\r\nLapsus$ claimed responsibility for a string of breaches — including ones at Microsoft, chipmaker Nvidia, and\r\nsingle sign-on provider Okta. \r\nThe group used a variety of different techniques to carry out its attacks. \r\n“Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing\r\npersonal email accounts of employees at target organizations; paying employees, suppliers, or business partners of\r\ntarget organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the\r\nongoing crisis-communication calls of their targets,” Microsoft wrote, following its breach investigation.\r\nThe group also seemed to behave erratically — seeking publicity and posting to recruiting insiders with access to\r\nupcoming targets, Microsoft noted.\r\nSome alleged members of the group were soon reported to be teenagers — including one in Oxford who was\r\ndoxxed in an episode of hacker drama, according to Bloomberg. U.K. law enforcement arrested seven people,\r\nages ranging from 16 to 21, in March for alleged involvement in the Lapsus$ Group.\r\nThe group continued to post for several days after the arrests, including about a data breach at Globant and an\r\napparent joke about some of its members going on vacation. However, its public Telegram channel has been silent\r\nsince late March. The Federal Police declined to comment on the operation beyond the information in the press\r\nrelease. \r\nGet more insights with the\r\nhttps://therecord.media/brazilian-police-launch-investigation-targeting-lapsus-group/\r\nPage 1 of 3\n\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nAndrea Peterson\r\nhttps://therecord.media/brazilian-police-launch-investigation-targeting-lapsus-group/\r\nPage 2 of 3\n\n(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress\r\n(RIP) and The Washington Post before doing deep-dive public records investigations at the Project on\r\nGovernment Oversight and American Oversight.\r\nSource: https://therecord.media/brazilian-police-launch-investigation-targeting-lapsus-group/\r\nhttps://therecord.media/brazilian-police-launch-investigation-targeting-lapsus-group/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/brazilian-police-launch-investigation-targeting-lapsus-group/" ], "report_names": [ "brazilian-police-launch-investigation-targeting-lapsus-group" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438994, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4efd2fc744f39f0567a0dc7e1758549e5840d0ad.pdf", "text": "https://archive.orkl.eu/4efd2fc744f39f0567a0dc7e1758549e5840d0ad.txt", "img": "https://archive.orkl.eu/4efd2fc744f39f0567a0dc7e1758549e5840d0ad.jpg" } }