Full Report
On October 16 and 17, the ScatteredLAPSUS$Hunters Telegram channel repeatedly violated Telegram’s TOS by leaking personal information on people — and in this case, information on employees of the Department of Justice (DOJ/FBI), U.S. Attorneys Office (DOJ/USAO), the Department of Homeland Security (DHS), and the Federal Aviation Authority (FAA). DataBreaches did not report on it... Source
Analysis Summary
# Threat Actor: ScatteredLAPSUS$Hunters
## Attribution & Identity
**Attribution:** Unclear from the article, but the name suggests an association or lineage with the LAPSUS$ group, or an attempt to leverage that notoriety.
**Aliases:** ScatteredLAPSUS$Hunters
## Activity Summary
The group operated a Telegram channel that repeatedly violated Telegram's Terms of Service (TOS) by publishing private information (doxing) pertaining to U.S. government employees. The channel was banned by Telegram shortly after or during public reporting due to these TOS violations. The activity focused on leaking four separate CSV files containing personal data of US government personnel.
## Tactics, Techniques & Procedures
- **Doxing/Data Leakage:** Publishing private personal information of targeted individuals publicly.
- **Use of Messaging Platforms for Distribution:** Utilizing Telegram channels to distribute leaked files.
- **Data Formatting:** Files were distributed in poorly organized CSV format (not sorted by state or alphabetically).
## Targeting
- **Sectors:** Government/Public Sector (specifically law enforcement, homeland security, and regulatory agencies).
- **Geography:** Implicitly the United States, based on the agencies targeted.
- **Victims:** Employees of the Department of Justice (DOJ/FBI), U.S. Attorneys Office (DOJ/USAO), Department of Homeland Security (DHS) components (FEMA, CBP, USCIS, TSA, USSS, ICE), and the Federal Aviation Authority (FAA).
## Tools & Infrastructure
- **Malware Families Used:** Not specified.
- **Infrastructure (C2, domains, IPs):** Telegram channel (which was repeatedly banned).
- **Data Format:** Four distinct `.csv` files containing names, work/potentially personal email addresses, phone numbers, and postal addresses.
## Implications
This actor poses a direct threat to the security and privacy of government personnel through targeted doxing campaigns. The successful acquisition and publication of data from sensitive agencies like the FBI and DHS suggest a potential insider threat capability or sophisticated external collection methods. The use of known ransomware/hacktivist naming conventions implies an intent to maximize media attention and disruption.
## Mitigations
- **Communications Security:** Immediate notification and mandatory password resets for affected employees, particularly where work and personal contact information overlap.
- **Endpoint Monitoring:** Enhanced monitoring on agency networks, especially for compromised credentials that may have provided the initial data source.
- **Data Source Verification:** Agencies (DOJ/FBI, DHS, etc.) must investigate the source of the leak to determine if internal controls or access logging failed.
- **Social Media Monitoring:** Increased vigilance regarding external platforms (like Telegram) for data leaks targeting organizational staff.