Full Report
Joseph Cox reports: A hacking group that recently doxed hundreds of government officials, including from the Department of Homeland Security (DHS) and Immigration and Customs Enforcement (ICE), has now built dossiers on tens of thousands of U.S. government officials, including NSA employees, a member of the group told 404 Media. The member said the group... Source
Analysis Summary
# Threat Actor: Scattered LAPSUS$ Hunters
## Attribution & Identity
The threat actor is identified by the Telegram channel name "Scattered LAPSUS$ Hunters." The article suggests a link between this group and past incidents, including the doxing of government officials and attempted extortion against Salesforce customers.
## Activity Summary
The group claims to possess dossiers on tens of thousands of U.S. government officials, including National Security Agency (NSA) employees. This information was allegedly compiled by leveraging data stolen from compromises affecting Salesforce customers earlier in the year. This activity follows previous doxing operations targeting officials from DHS, ICE, and DOJ.
## Tactics, Techniques & Procedures
- **Data Aggregation/Enrichment:** Obtaining and correlating data from prior large-scale breaches (Salesforce customer data) to build comprehensive dossiers.
- **Doxing:** Publicly releasing personal information about targeted officials.
- **Extortion:** The group has previously attempted to extort Salesforce over the breached data caches.
## Targeting
- Sectors: Government/Intelligence (NSA, DIA), Law Enforcement/Regulatory (DHS, ICE, DOJ, ATF, FTC), Aviation (FAA), Public Health (CDC), Military (Air Force).
- Geography: United States (U.S. government officials).
- Victims: Thousands of U.S. government employees across multiple federal agencies, including specific targeting of NSA and DIA personnel.
## Tools & Infrastructure
- **Infrastructure:** Telegram channel (previously active under the name "Scattered LAPSUS$ Hunters," which went down following recent doxing events).
- **Data Source:** Stolen/cached customer data from Salesforce compromises.
## Implications
The group exhibits a clear focus on intelligence and security community personnel, utilizing sophisticated data aggregation techniques derived from third-party corporate breaches (Salesforce). The possession of dossiers on high-value targets like NSA and DIA employees presents a significant risk for espionage, social engineering, and potential espionage operations, even if the data has not yet been fully publicized.
## Mitigations
- Heightened vigilance regarding personal data exposure for government employees, especially those in sensitive agencies.
- Reviewing and securing data held by third-party vendors (like CRM/Salesforce instances) that process PII for government entities.
- Monitoring activist or hacktivist forums (like Telegram) for data dumps or discussions related to the named agencies or individuals.