The breach of authentication company Okta led HHS to warn the healthcare sector of threat the Lapsus$ extortion group poses. Pictured: Okta CEO Todd McKinnon speaks with former President Barack Obama in 2018. ("President Barack Obama Keynote at Oktane18" by aaronparecki is marked with CC BY 2.0.)

The Lapsus$ hack of authentication company Okta led to the compromise of multiple healthcare organizations, prompting The Department of Health and Human Services to warn the sector of the ongoing, potential threat the extortion group poses to the sector.

The new HHS threat report profiles the unconventional group known as Lapsus$, urging all healthcare entities to prioritize the use of passwordless and/or multi-factor authentication and OAuth or SAML, as well as ensuring the effectiveness of current network segmentation strategies and employee security training around social engineering attacks.

As previously reported, the extortion group publicly claimed to have attacked Okta several weeks ago with the intent to leverage their access to the vendor to attack its clients. The group is well known for extorting companies with threats of leaking data, but without the deployment of ransomware.

First identified in April 2020, Lapsus$ is best known for its hack and subsequent leak of files stolen from Samsung. The group doesn’t use overtly sophisticated tools in their attacks, but that hasn’t impacted the effectiveness of their methods. HHS also noted the group is “unprofessional and careless.”

What’s even more notable is that the group appears to be driven by notoriety and destruction, rather than financial gain, given their targeting of large companies.

And although seven of its members, including teenagers, have been indicted, the security community and HHS warned the group is a credible threat that will require a proactive approach to prevent falling victim. But “due to the diversity of their techniques, there is no single set of effective defenses or mitigations.”

The HHS report includes the common tactics leveraged by Lapsus$, including a number of less-common methods such as “self-injection into ongoing crisis-communication calls of their targets.” Credential theft, compromise bypassing multi-factor authentication, phone-based social engineering are also commonly used by the group.

For the healthcare sector, Lapsus$’s use of compromising managed service providers is the largest concern, as seen with the Okta hack. The HHS threat report contains a brief post-mortem on the attack, which shows one hack led to data compromise for 336 of its customers (3.6%).

HHS stressed that “Okta was yet another example of a distributed attack vector.” As was seen with the SolarWinds, Kaseya, and Log4j incidents, the adversaries attempt to maximally compromise victims in a single attack with distributed attack vectors, through managing service provider and managing supply chain compromises and/or hacking managing software components.

The healthcare sector is well-within the Lapsus$ scope of targeting, as they’re stealing data for extortion purposes, targeting MSPs, and seeking opportune targets, HHS warned. As such, all providers should review the report to better understand the tactics and swiftly move to bolster defenses.

“While law enforcement has begun pressuring the group and even arresting some alleged members, operations are expected to continue,” HHS warned. “Other members will very likely continue to operate under the Lapsus$ banner or as part of another group, and the geographic diversity of this group will make them especially difficult to permanently quash.”

“The diversity of their tactics, and their lack of reliance on specific malware variants, make them very difficult to detect or stop,” they added. “They have already compromised healthcare organizations and have no reason to stop.”