The group appeared to have popped back up on Telegram with a message saying, “We are officially back from a vacation,” followed by posting a link to a torrent file with the alleged Globant data. The data itself is interesting and according to researchers that have opened the rar file, contains what appears to be a combination of source code as well as admin passwords for Globat’s Jira, Confluence, Crucible code review tool.
The type of data collected and displayed, if real, is in pattern for the group and matches up to other leaks they have posted. Inside this dump were also files that appear to contain data about other organizations (possible clients of Globant) like Facebook, DHL, Stifel, C-Span, Arcserve, Racetrac, and even a folder named “apple-health-app”. These, again if real, could be projects that Globant is/was working on for different clients which got caught up in the breach and compromise of the Globant DevOps team.
Although it is clear that Lapsus$ is not gone, they could potentially be in their last days. As we have seen in the past, often law-enforcement will release people to see who they contact and what they do after release. This can potentially allow them to gather up more members of a targeted criminal organization and get a better understanding of how they operate. In this case, we expect this is what is happening. There is a strong suspicion that Lapsus$ has used insiders to gain at least initial access to different groups and law enforcement agencies are going to want to not only identify how they operate that side of the business, but also see if they can identify any existing or previous insiders.
No matter why Lapsus$ is still around and kicking (pretty hard I might add), it is clear they still have some things up their sleeves when it comes to breaching organizations. What these items are, we still do not have a full understanding of, but I imagine some of the details will come out in short order as the investigations into them intensify. Of course, even if they are taken out, someone/something will show up that is just as bad or worse. It is just the way things are when it comes to the threat landscape. This means that, once again, the onus is on organizations to ensure they have the proper security tools and culture to deal with these threats as they emerge and evolve.