{
	"id": "c3c4e193-4e0f-40d6-af0e-d2d1aefe02d0",
	"created_at": "2026-04-06T00:10:46.631596Z",
	"updated_at": "2026-04-10T03:28:46.804364Z",
	"deleted_at": null,
	"sha1_hash": "9bd3e84244c9dc101d19e0fbb4a84424f530b78b",
	"title": "Microsoft and Okta Confirm Breach by LAPSUS$ Extortion Group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 364180,
	"plain_text": "Microsoft and Okta Confirm Breach by LAPSUS$ Extortion\r\nGroup\r\nBy The Hacker News\r\nPublished: 2022-03-23 · Archived: 2026-04-05 23:08:39 UTC\r\nMicrosoft on Tuesday confirmed that the LAPSUS$ extortion-focused hacking crew had gained \"limited access\"\r\nto its systems, as authentication services provider Okta revealed that nearly 2.5% of its customers have been\r\npotentially impacted in the wake of the breach.\r\n\"No customer code or data was involved in the observed activities,\" Microsoft's Threat Intelligence Center\r\n(MSTIC) said, adding that the breach was facilitated by means of a single compromised account that has since\r\nbeen remediated to prevent further malicious activity.\r\nThe Windows maker, which was already tracking the group under the moniker DEV-0537 prior to the public\r\ndisclosure, said it \"does not rely on the secrecy of code as a security measure and viewing source code does not\r\nlead to elevation of risk.\"\r\n\"This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation,\r\nlimiting broader impact,\" the company's security teams noted.\r\nIdentity and access management company Okta, which also acknowledged the breach through the account of a\r\ncustomer support engineer working for a third-party provider, said that the attackers had access to the engineer's\r\nlaptop during a five-day window between January 16 and 21, but that the service itself was not compromised.\r\nhttps://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html\r\nPage 1 of 4\n\nThe San Francisco-based cloud software firm also said it's identified the affected customers and that it's contacting\r\nthem directly, stressing that the \"Okta service is fully operational, and there are no corrective actions our\r\ncustomers need to take.\"\r\n\"In the case of the Okta compromise, it would not suffice to just change a user's password,\" web infrastructure\r\ncompany Cloudflare said in a post mortem analysis of the incident. \"The attacker would also need to change the\r\nhardware (FIDO) token configured for the same user. As a result, it would be easy to spot compromised accounts\r\nbased on the associated hardware keys.\"\r\nThat said, of particular concern is the fact that Okta failed to publicly disclose the breach for two months,\r\nprompting the cyber criminal group to ask \"Why wait this long?\" in its counter statement.\r\nLAPSUS$ has also claimed in its rebuttal that Okta was storing Amazon Web Services (AWS) keys within Slack\r\nand that support engineers seem to have \"excessive access\" to the communications platform. \"The potential\r\nimpact to Okta customers is NOT limited, I'm pretty certain resetting passwords and MFA would result in\r\ncomplete compromise of many clients' systems,\" the gang elaborated.\r\nMicrosoft Exposes the Tactics of LAPSUS$\r\nLAPSUS$, which first emerged in July 2021, has been on a hacking spree in recent months, targeting a wealth of\r\ncompanies over the intervening period, including Impresa, Brazil's Ministry of Health, Claro, Embratel, NVIDIA,\r\nSamsung, Mercado Libre, Vodafone, and most recently Ubisoft.\r\nThe financially motivated group's modus operandi has been relatively straightforward: break into a target's\r\nnetwork, steal sensitive data, and blackmail the victim company into paying up by publicizing snippets of the\r\nstolen data on their Telegram channel.\r\nhttps://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html\r\nPage 2 of 4\n\nMicrosoft described LAPSUS$ as a group following a \"pure extortion and destruction model without deploying\r\nransomware payloads\" and one that \"doesn't seem to cover its tracks.\"\r\nOther tactics adopted by the crew include phone-based social engineering schemes such as SIM-swapping to\r\nfacilitate account takeover, accessing personal email accounts of employees at target organizations, bribing\r\nemployees, suppliers, or business partners of companies for access, and intruding in the ongoing crisis-response\r\ncalls of their targets to initiate extortion demands.\r\nLAPSUS$ has also been observed deploying the RedLine Stealer that's available for sale on underground forums\r\nto obtain passwords and session tokens, in addition to buying credentials and access tokens from dark web\r\nmarketplaces as well as searching public code repositories for exposed credentials, to gain an initial foothold.\r\n\"The objective of DEV-0537 actors is to gain elevated access through stolen credentials that enable data theft and\r\ndestructive attacks against a targeted organization, often resulting in extortion,\" the company said. \"Tactics and\r\nobjectives indicate this is a cybercriminal actor motivated by theft and destruction.\"\r\nhttps://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html\r\nPage 3 of 4\n\nFollowing initial access, the group is known to exploit unpatched vulnerabilities on internally accessible\r\nConfluence, JIRA, and GitLab servers for privilege escalation, before proceeding to exfiltrate relevant information\r\nand delete the target's systems and resources.\r\nTo mitigate such incidents, Microsoft is recommending organizations to mandate multi-factor authentication (but\r\nnot SMS-based), make use of modern authentication options such as OAuth or SAML, review individual sign-ins\r\nfor signs of anomalous activity, and monitor incident response communications for unauthorized attendees.\r\n\"Based on observed activity, this group understands the interconnected nature of identities and trust relationships\r\nin modern technology ecosystems and targets telecommunications, technology, IT services and support companies\r\n– to leverage their access from one organization to access the partner or supplier organizations,\" Microsoft\r\ndetailed.\r\nAmidst the fallout from the leaks, LAPSUS$ appear to be taking a break. \"A few of our members has [sic] a\r\nvacation until 30/3/2022. We might be quiet for some times [sic],\" the group said on its Telegram channel.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html\r\nhttps://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thehackernews.com/2022/03/microsoft-and-okta-confirm-breach-by.html"
	],
	"report_names": [
		"microsoft-and-okta-confirm-breach-by.html"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "be5097b2-a70f-490f-8c06-250773692fae",
			"created_at": "2022-10-27T08:27:13.22631Z",
			"updated_at": "2026-04-10T02:00:05.311385Z",
			"deleted_at": null,
			"main_name": "LAPSUS$",
			"aliases": [
				"LAPSUS$",
				"DEV-0537",
				"Strawberry Tempest"
			],
			"source_name": "MITRE:LAPSUS$",
			"tools": [
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d4b9608d-af69-43bc-a08a-38167ac6306a",
			"created_at": "2023-01-06T13:46:39.335061Z",
			"updated_at": "2026-04-10T02:00:03.291149Z",
			"deleted_at": null,
			"main_name": "LAPSUS",
			"aliases": [
				"Lapsus",
				"LAPSUS$",
				"DEV-0537",
				"SLIPPY SPIDER",
				"Strawberry Tempest",
				"UNC3661"
			],
			"source_name": "MISPGALAXY:LAPSUS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2347282d-6b88-4fbe-b816-16b156c285ac",
			"created_at": "2024-06-19T02:03:08.099397Z",
			"updated_at": "2026-04-10T02:00:03.663831Z",
			"deleted_at": null,
			"main_name": "GOLD RAINFOREST",
			"aliases": [
				"Lapsus$",
				"Slippy Spider ",
				"Strawberry Tempest "
			],
			"source_name": "Secureworks:GOLD RAINFOREST",
			"tools": [
				"Mimikatz"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b",
			"created_at": "2022-10-25T16:07:24.503878Z",
			"updated_at": "2026-04-10T02:00:05.014316Z",
			"deleted_at": null,
			"main_name": "Lapsus$",
			"aliases": [
				"DEV-0537",
				"G1004",
				"Slippy Spider",
				"Strawberry Tempest"
			],
			"source_name": "ETDA:Lapsus$",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434246,
	"ts_updated_at": 1775791726,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9bd3e84244c9dc101d19e0fbb4a84424f530b78b.pdf",
		"text": "https://archive.orkl.eu/9bd3e84244c9dc101d19e0fbb4a84424f530b78b.txt",
		"img": "https://archive.orkl.eu/9bd3e84244c9dc101d19e0fbb4a84424f530b78b.jpg"
	}
}