TeamPCP, LAPSUS Claims: A Supply Chain Mess with Anti-Iran Twist

Recent insights from ‘חדשות סייבר - ארז דסה’ shed light on the complex interplay between threat groups TeamPCP and LAPSUS, particularly concerning a sophisticated supply chain attack. Initially, research suggested TeamPCP was behind the Kamikaze wiper malware, designed to automatically delete data on Iranian systems, hinting at an anti-Iranian or pro-Israeli stance, further fueled by the group’s X account listing ‘Israel’ as its location and a recent account creation date.

However, the narrative shifts dramatically based on claims made by LAPSUS. According to LAPSUS, they were the initial holders of access to Trivy, a tool belonging to Israeli company Aqua Security. Instead of exploiting it themselves for data theft and extortion, LAPSUS alleges they transferred this access to TeamPCP under an agreement. The objective was for TeamPCP to deploy a technical payload that would leverage Trivy to compromise over 1000 downstream organizations. LAPSUS asserts that Trivy was the single entry point for subsequent breaches at LiteLLM, Checkmarx, and Telnyx, framing the entire incident as one continuous supply chain attack.

If LAPSUS’s account holds true, they provided TeamPCP with the Trivy access, initiating a chain where TeamPCP exploited the vulnerability to distribute malware that stole authentication tokens from numerous organizations. As a ‘bonus,’ TeamPCP also executed their anti-Iranian data deletion function. After obtaining these tokens, TeamPCP allegedly shared some with LAPSUS, who then proceeded with their typical data theft and extortion operations. When questioned about any connection between TeamPCP and Israel, LAPSUS reportedly denied any knowledge of such a link, casting further doubt on TeamPCP’s apparent pro-Israel positioning.