CrowdStrike Insider Breach: How Scattered Lapsus$ Exploited Trusted Access in 2024
Executive Summary
In early 2024, cybersecurity firm CrowdStrike identified an insider threat after discovering that an employee had shared screenshots of internal systems with external threat actors. The images, which were later leaked on Telegram by the Scattered Lapsus$ Hunters group, exposed sensitive details about CrowdStrike’s infrastructure and internal processes. CrowdStrike swiftly conducted an internal investigation, isolated the breach, and collaborated with law enforcement to mitigate potential risks. The incident highlights the growing challenge organizations face in protecting against trusted insiders acting maliciously or under external influence.
This breach is particularly relevant given the increasing frequency of insider-driven attacks and the adoption of social engineering by advanced threat groups to bypass traditional perimeter defenses. The incident underscores the need for organizations to enhance their monitoring of internal activities and emphasize zero trust models.
Why This Matters Now
With insider threats on the rise and threat actors targeting employees for privileged access, organizations must prioritize internal activity monitoring and least privilege policies to prevent and quickly detect data leaks. Regulatory scrutiny and evolving attacker tactics mean that the risks from trusted insiders have never been higher.
Attack Path Analysis
The attack began with an insider leveraging legitimate access to internal systems to gather sensitive information. The insider may have escalated access to reach additional systems or privileged data. Information was potentially moved across segmented environments, with the insider navigating to various internal resources. Screenshots and internal data were communicated with external threat actors, possibly using covert communication methods. Data was exfiltrated, as evidenced by screenshots and potential other exports being leaked externally. The impact included loss of sensitive information and reputational harm due to public leaks facilitated by external threat actors.
Kill Chain Progression
Initial Compromise
Description
An insider with legitimate credentials accessed internal systems, enabling the entry point for the malicious operation.
Related CVEs
CVE-2025-61882
CVSS 9.1A vulnerability in Salesforce's OAuth implementation allowed attackers to obtain access tokens, leading to unauthorized access to customer data.
Affected Products:
Salesforce Salesforce CRM – All versions prior to patch
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Valid Accounts
Data Staged
Automated Collection
Exfiltration Over C2 Channel
Account Discovery
Obfuscated Files or Information
Phishing
Transfer Data to Cloud Account
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Log All Access to System Components
Control ID: 10.5.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Access Control and Asset Management
Control ID: Article 21(2)(d)
CISA Zero Trust Maturity Model 2.0 – Identity Monitoring and Response
Control ID: Identity Pillar: Activity Monitoring
DORA – Digital Operational Resilience Act – ICT Security Policies and Procedures
Control ID: Article 9(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
CrowdStrike insider threat exposes cybersecurity firms' vulnerability to privileged access abuse, threatening zero trust segmentation and threat detection capabilities industry-wide.
Financial Services
Insider threats compromise encrypted traffic and egress security controls, exposing financial institutions to data exfiltration and regulatory compliance violations under PCI standards.
Health Care / Life Sciences
Healthcare organizations face elevated insider threat risks affecting multicloud visibility and HIPAA compliance, particularly for encrypted patient data and east-west traffic security.
Government Administration
Government agencies must strengthen anomaly detection and policy enforcement against insider threats, especially given national security implications and classified information protection requirements.
Sources
- CrowdStrike catches insider feeding information to hackershttps://www.bleepingcomputer.com/news/security/crowdstrike-catches-insider-feeding-information-to-hackers/Verified
- CrowdStrike fires 'suspicious insider' who passed information to hackershttps://techcrunch.com/2025/11/21/crowdstrike-fires-suspicious-insider-who-passed-information-to-hackers/Verified
- Scattered LAPSUS$ Hunters: Anatomy of a Federated Cybercriminal Brandhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scattered-lapsuss-hunters-anatomy-of-a-federated-cybercriminal-brand/Verified
- Flash Report: Scattered Lapsus$ Hunters Announce Returnhttps://www.zerofox.com/intelligence/flash-report-scattered-lapsus-hunters-announce-return/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust principles, including microsegmentation, visibility, egress filtering, and continuous anomaly detection, would have significantly limited insider movement, flagged suspicious data transfers, and prevented unauthorized exfiltration attempts at multiple stages.
Control: Zero Trust Segmentation
Mitigation: Restricts initial access to only the minimum required resources per user identity.
Control: Zero Trust Segmentation
Mitigation: Blocks unauthorized privilege escalation or unauthorized lateral access attempts.
Control: East-West Traffic Security
Mitigation: Detects and restricts abnormal intra-network movement.
Control: Threat Detection & Anomaly Response
Mitigation: Flags and disrupts suspicious outbound communications consistent with data staging or external handoff.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks or alerts on unsanctioned data export from protected zones.
Provides unified forensics and policy audit trails for rapid incident response.
Impact at a Glance
Affected Business Functions
- Internal Security Operations
- Customer Data Management
Estimated downtime: 2 days
Estimated loss: $500,000
Potential exposure of internal security protocols and customer data due to insider information leak.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation to tightly constrain insider access to only the resources necessary for their role.
- • Implement and automate egress controls to block or alert on unauthorized data transfers to external parties.
- • Continuously monitor and baseline user and workload activity to detect suspicious behavior and insider threats in real time.
- • Enhance east-west traffic visibility and response capabilities for rapid detection of lateral movement within cloud and hybrid environments.
- • Maintain centralized visibility and unified policy enforcement across all cloud, hybrid, and on-prem domains to accelerate detection, investigation, and containment of insider incidents.
