Lapsus$ Ransomware Group and Okta Breach

Airgap Networks
4 min readApr 10, 2022

Every company is expected to be transparent to its clients and partners when issues arise. Clients depend on our technology to protect their entire business operations, revenues, and product secrets.

Okta isn’t the only technology company that has been affected by security breaches. Similarly impacted, Microsoft released a statement detailing the approach to risk management which means the possession of the code would not benefit the hackers even if they had accessed it. Microsoft also has confirmed that it was breached by the Lapsus$ hacking group. Microsoft disclosed that an account of a single employee was compromised by Lapsus$ Group which granted the hackers limited access to the Microsoft system and allowed the theft of the company‘s source code. The group, which the technology giant is tracking as DEV-0537 also known as Lapsus$ Group Targeted enterprises in the United Kingdom and South America initially but later extended to include government, technology, media, and healthcare businesses.

Samsung was also targeted by a massive cyberattack initiated by the same group, who claims that they have gotten hold of 190GB worth of valuable data. The data contains the dumps of source code of Security/Defense/Knox/Bootloader/TrustedApps and the dumps of source code about device security and encryption and various repositories from Samsung Github related to mobile defense engineering, Samsung account backend.

For hackers, ransomware is a significant industry, with the average ransom climbing by over 518%. Hacking gangs provide ransomware as a service (RaaS), with payment methods based on subscriptions. Criminals with no technical understanding may now execute ransomware cyberattacks for as low as $40 per month by subscribing to ransomware-as-a-service and using bitcoin to help them avoid detection. Hackers will also try to encrypt or erase backup files, making restoration and recovery more difficult or impossible.

This year’s average ransomware payment was a record $570,000, compared to $312,000 last year. Lapsus$ Group has taken the responsibility for the attack on the chip giant Nvidia and has threatened to publish Nvidia’s source code used in drivers and firmware in case their demands are not fulfilled. The group demands the open-source of its GPU drivers for Windows, Linux and macOS.

Lapsus$ Group also claimed In late January 2022, that Okta’s software had been compromised. Okta is an identity and access management industry leader which provides software that allows employees to log in using a single sign-on — a central platform where employees can log in once in order to access resources that have been assigned to them by an organization’s IT staff. The officials have confirmed that 366 of their customers are being affected by recent Lapsus$. Identity services provider Okta had earlier this week explained that a third-party support engineer’s laptop had been hacked by Lapsus$ back in January, but the actions of this contractor were limited. These attacks indicate the need for Zero trust segmentation and agentless segmentation in the organization network.

What is the role of Zero Trust Isolation?

Even during a cybersecurity breach, for users, clients, and partners, secured remote access is essential to the organization. During the Okta security breach, organizations require additional layers of security resilience to allow businesses to continue even when one portion is under attack.

The Airgap Secure Asset Access platform is a secure, just-in-time access solution simplifying the need for full proxy connectivity with security-based policies by the user. Airgap’s SAA deployment does not require any changes to your existing infrastructure. Airgap’s SAA leverages TLS 1.3 encryption along with global policy routes by the group. After users are authenticated, SAA places them into a policy routing group. Within this group policy, Airgap defines the port and protocol allowed inside of a micro-segmentation VLAN. Any user attempting to connect to that protected segment will be blocked by SAA.

Working with existing MFA and SSO solutions, Airgap SAA provides secure full proxy connectivity via reverse proxy. Airgap’s SAA also can provide secure remote connectivity even during an outage within the MFA or SSO system.

The potential impact on Okta customers is not limited but strengthening the MFA implementation can be primarily a defense against the Lapsus$ Group Cyberattacks. There is a need to implement user and autonomous risk policies that block high impacts on user actions like device enrollment and MFA registration.

The Okta customers should change their password including admin level and users also and identify the scope of Okta deployment where Okta’s product was deployed and which systems and devices have interacted with Okta. The customers also need to check the security state of all connected SaaS app configurations. There is a need for activity monitoring for tools that are connecting with your system and their network traffic logs. The organization should have an extra pair of Security Operations Analysts working on monitoring the traffic and thread hunting with SIEM/SOAR solutions.

For more information on Airgap’s Secure Asset Access into your private apps, visit or schedule a demo here.



Airgap Networks

Zero Trust Isolation — The Best Defense Against Ransomware Propagation.