Scattered Lapsus$
Google reveals a catastrophic supply-chain breach: 200+ companies hacked through...
Google's Threat Intelligence Group (GTIG) has confirmed a catastrophic supply chain attack with a staggering initial scope: data stolen from over 200 companies. The breach vector? Compromised applications from **Gainsight**, a customer success platform, published on the **[Salesforce](https://www.secureblink.com/cyber-security-news/inside-the-billion-record-extortion-blitz-hitting-salesforce-tenants)** ecosystem.
But this is far more than a single incident. This is the latest, highly sophisticated maneuver in a sustained campaign by the threat collective **UNC6240** (tracked by Google), also known as **"_[Scattered Lapsus$ Hunters](https://www.secureblink.com/cyber-security-news/lapsus-hackers-elevate-sim-swapping-attacks-to-unprecedented-heights)."_** This group, which includes members of the infamous **ShinyHunters**, is systematically targeting the very connective tissue of the modern enterprise: the trusted integrations between SaaS platforms.
## **Deconstructing Attack Chain - A Timeline of Trust Exploited**
The attack demonstrates a chilling understanding of the modern cloud environment. This was not a smash-and-grab; it was a patient, multi-stage operation.
| Phase | Tactic & Technique | Context & Insight |
| :--- | :--- | :--- |
| **1. Initial Access** | **Compromise of [Gainsight](http://gainsight.com/security/) (c. August 2025)** | The group first breached Gainsight's internal systems nearly three months ago. They allegedly gained this initial foothold through a **prior, identical attack on the Salesloft Drift application**. This indicates a **software supply chain cascade**—one breached vendor becomes the stepping stone to the next. |
| **2. Persistence & Weaponization** | **Modification of Legitimate Apps** | From within Gainsight's environment, the actors targeted the company's legitimate applications on the Salesforce AppExchange. By compromising these apps, they turned a tool of business operations into a weapon. |
| **3. Lateral Movement & Privilege Escalation** | **Abusing OAuth and Trust Relationships** | When a company installs a Gainsight app, it grants the app certain permissions (OAuth tokens) to access Salesforce data. The attackers inherited these permissions. The critical failure? Many companies had granted these apps **excessive, broad-ranging data access (e.g., "Read/Write All")**, far beyond what was necessary for their function. |
| **4. Data Exfiltration** | **API-Based Data Harvesting** | Using the compromised apps' legitimate access, the attackers performed automated, large-scale data queries and exports via Salesforce APIs. Because this traffic came from a trusted, whitelisted source, it was incredibly difficult to distinguish from legitimate business activity. |
> **Technical Insight:** _"This attack completely bypasses traditional network security controls,"_ [explains](https://status.salesforce.com/generalmessages/20000233) a senior security engineer at a affected firm (who spoke on condition of anonymity). _"The traffic never hits your firewall. It's a trusted entity inside your perimeter, making authorized API calls to your most sensitive data repository. Your SIEM might see it, but without extremely granular behavioral baselines, it just looks like business as usual."_
## **UNC6240 & "Scattered Lapsus$" Playbook**
Understanding the "who" is key to understanding the "why." UNC6240 is not a typical nation-state actor. Their profile points to a financially motivated cybercrime group with a distinct modus operandi, heavily inspired by the original Lapsus$ group.
**Key Adversary Characteristics:**
* **Motivation:** **Financial Gain**. Their end goal is likely to extort the victim companies, sell the stolen data on dark web forums, or both.
* **Tactics:** **Social Engineering & MFA Fatigue**. They are known to use sophisticated phishing and SIM-swapping attacks to compromise employee credentials, often bombarding victims with MFA push notifications until one is accidentally approved.
* **Signature:** **Brazen Extortion & Public Shaming**. Like Lapsus$, they publicly name their victims on platforms like Telegram to maximize pressure for ransom payments. Their claims against giants like **CrowdStrike, DocuSign, GitLab, and LinkedIn** fit this pattern perfectly.
* **Strategic Focus:** **Software Supply Chains**. They are repeatedly targeting B2B SaaS providers (such as Gainsight and Salesloft) to amplify the impact of their attacks.
## **Not an Isolated Event**
To view the Gainsight breach in isolation is to miss the entire story. It is the second central act in a play that began months ago.
* **The Precedent: The Salesloft/Drift Breach (August 2025):** The exact same threat actors executed a nearly identical attack through Salesloft's Drift application. **Gainsight was itself a victim of that earlier breach**, which provided the springboard for this current, wider attack.
* **The Pattern:** This campaign reveals a deliberate strategy: identify widely used SaaS platforms that have high-level integrations with other critical systems, compromise one, and use it to attack its entire customer base. The attack surface is not a company's own infrastructure, but its web of trusted partners.
## **Moving Beyond "Check the Box" Security**
The standard advice of "patch your systems" is meaningless here. The defense requires a fundamental shift in strategy.
**Immediate Actions (This Week):**
1. **Conduct a Brutal Third-Party App Audit:** In your Salesforce, M365, Slack, and Snowflake environments, review every connected application. **Immediately revoke access for any that are non-essential or unfamiliar.** Do not delay.
2. **Scrutinize API Logs for Anomalies:** Look for patterns of data access that are abnormal in volume, frequency, or timing. Focus on large data queries and exports, especially from service accounts associated with third-party apps.
**Strategic Shifts (Long-Term):**
1. **Embrace Zero Trust for SaaS Integrations:** Apply the principle of **"Least Privilege Access"** ruthlessly. An app like Gainsight, used for customer analytics, should never have blanket "Read All" permissions. Its access should be scoped to specific data objects and fields only.
2. **Implement a CASB or SSPM:** A **Cloud Access Security Broker (CASB)** or **SaaS Security Posture Management (SSPM)** tool can automatically discover shadow IT, enforce security policies on sanctioned apps, and detect anomalous activity across your cloud portfolio.
3. **Assume Breach, Even with Vendors:** Your security model must now account for the compromise of your most trusted vendors. Segment data access, encrypt sensitive fields, and have an incident response plan that includes a "third-party vendor breach" scenario.
### **End of Innocence in the Interconnected Cloud**
The Gainsight breach is a watershed moment. It proves that the efficiency and connectivity of the modern SaaS ecosystem have created a systemic risk that we are only beginning to quantify.
The perimeter is no longer your network; it's the sum of all permissions you've granted to every third-party application. The attack surface is no longer your public IP range; it’s the entire OAuth token chain across your digital supply chain.
This incident is a call to action for CISOs and security teams everywhere: **The era of trusting third-party integrations by default is over. The era of verified, minimal, and continuously monitored access has begun.**
***This is a developing incident. Follow for ongoing technical analysis as more details from forensic investigations become available.***
