Ransomware, Threat Management

Globant confirms falling victim to Lapsus$ extortion group

Digital transformation developer Globant confirmed that the extortion group Lapsus$ stole source code. (Globant)

Following an announcement from the criminal group Tuesday night, digital transformation developer Globant confirmed that extortionists Lapsus$ had stolen source code developed for its clients.

Based in Brazil, Globant is a major engineering contractor, with offices in 18 countries, 24,000 employees and clients ranging from London's Metropolitan Police to EA to Santander.

On Tuesday, Lapsus$ leaked what they claimed were administrator credentials for several of Globant's development platforms and tools: Confluence, Crucible, GitHub and Jira, as well as a 70 gigabyte archive of source code.

Researchers who spoke to SC Media said they had not had time to comb the leak archive for authenticity or potential damage radius. Given the clientele and access, Brett Callow of Emsisoft said that the potential harm could be "significant."

Lapsus$'s most recent attack was against Okta, another digital service with the potential for downstream supply chain impact. That attack leveraged access to Sykes, which was purchased by Sitel, a subcontractor of Okta.

Globant minimized the potential number of clients affected.

"According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients. To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected," said Globant in a press release.

Lapsus$ extorts victims by threatening to release breach documents online, often after releasing sample documents on its official Telegram account. The group suffered setbacks last week when seven members, all teenagers in the United Kingdom, were arrested.

At that time, Lapsus$ claimed it would be taking a break to go on vacation.

"We're officially back from a vacation," Lapsus$ announced as it leaked purported Globant information.

Lapsus$ is known for erratic behavior that is sometimes counterintuitive for a hacker group motivated primarily by money. During attacks on Portuguese media groups, they hijacked Twitter and newsletters to falsely announce the president of Portugal had been arrested and charged with murder.

"The biggest challenge for companies dealing with Lapsus$ is likely to be very unpredictable," Callow said. "When you deal with ransomware, there is a playbook. You know what the process is going to be and do not expect the attacker will suddenly demand you open-source your drivers."

While Globant was the largest attack in progress that came to light this week, a Bloomberg article Wednesday claimed that Lapsus$ members may be involved in a 2021 scheme to steal consumer data from Apple and Meta through fabricated legal orders.

On Tuesday, Sitel posted an update regarding the Sykes breach. In it, Sitel said that on Jan. 20, Sykes discovered a legacy system had been hacked and made potentially impacted clients aware of the breach the same day. Sitel said that a spreadsheet of passwords that had been distributed as client passwords were actually out-of-date Sykes employee passwords.

Lapsus$ itself has seen some issues with security over the past week, even beyond the arrests.

"It has come to our attention that many users are impersonating Lapsus$ staff," the group posted to its official Telegram after an account posted a cryptocurrency scam in its name, adding "Lapsus$ will never have 'double your bitcoin' scheme."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.