The IT and software development giant Globant operates in 18 countries and retains more than 23,500 employees. After the Lapsus$ group allegedly stole credentials, exfiltrated intellectual property and leaked the firm’s source code, Globant admitted to a data breach.

What happened

On March 30th, the Lapsus$ group returned from a temporary hiatus. A new victim’s name was pinned within the group’s Telegram chat: Globant. Shortly thereafter, Lapsus$ published a torrent containing roughly 70GB of data, which is believed to have included source code belonging to Globant.

Within the data, folders for a purportedly stolen data cache were labeled with names like “Apple-health-app,” “Facebook,” “C-SPAN,” “Arcserve,” and “DHL.” Private keys and chains, API keys for third-party services and Azure key information may also have been exposed.

An independent UK-based threat intelligence provider that analyzed the leak reports that the leak is legitimate and “very significant as far as Globant and Globant impacted customers are concerned.” Globant retains dozens of high-profile customers, and revenue in 2021 surpassed $1.2 billion.

Image from Lapsus$ Telegram channel, showing that they stole source code from Globant
Lapsus$ group Telegram post. Image courtesy of ZDNet.com.

Globant’s response

In a statement, the company said that a “limited section of our company’s code repository has been subject to unauthorized access.”

“According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients.”

Globant also noted that a deeper investigation is underway. Thus far, the investigation has not revealed that hackers have compromised other components of the Globant infrastructure system. As the investigation continues, the firm is “taking strict measures to prevent further incidents.”

Lapsus$ group attacks

In recent weeks, the Lapsus$ group has made a name for itself while executing high-profile cyber attacks against companies like Microsoft and Okta, among others. The Lapsus$ group is a relatively new syndicate within the data-extortion seen. However, due to the group’s strategic operations, successful cyber heists, and persistence, the Lapsus$ group is now on the FBI’s Most Wanted list.

Earlier this month, the London Police arrested seven teenagers who may be affiliated with Lapsus$. It is believed that the group retains affiliates across the world, as the group’s Telegram chats suggest that associates speak English, Russian, Turkish, German and Portuguese.

According to cyber security researchers, Lapsus$ leverages a variety of non-technical measures to breach some of its victims. For example, to circumnavigate some of its targets’ multi-factor authentication screens, members would use a technique known as MFA prompt bombing. In other instances, the group has used SIM swaps, social engineering and bribery.

In conclusion

As your organization upgrades physical and digital security systems, the Lapsus$ group’s exploits serve as a reminder of the fact that less technical attacks are often easier for hackers to follow-through on and that they can be just as damaging as attacks that rely on advanced programming capabilities or artificial intelligence.

For further information about the Lapsus$ group, please see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.