The Cyber Safety Review Board (CSRB) – established by the Department of Homeland Security (DHS) – has released its long-awaited review on the Lapsus$ hacking group, which attacked various government agencies and corporate networks from 2021 to 2022.
The report comes after the CSRB announced the investigation into Lapsus$ in late 2022. It has since worked with almost 40 organizations and individuals to gather insights into the hacking group’s actions and develop recommendations.
“Lapsus$ operated against a backdrop of other criminal groups employing similar methods … these groups demonstrated the still-prevalent vulnerabilities in our cyber ecosystem. They showed adeptness in identifying weak points in the system—like downstream vendors or telecommunications providers—that allowed onward access to their intended victims,” stated the CSRB.
The report found that “Lapsus$ employed low-cost techniques, well-known and available to other threat actors, revealing weak points in our cyber infrastructure.” It also found that current “multi-factor authentication (MFA) implementations used broadly in the digital ecosystem today are not sufficient for most organizations or consumers.”
Other eye-catching findings from the report indicate that the criminal hacking group was able to “easily gain initial access to targeted organizations through Subscriber Identity Module (SIM) swapping attacks.”
The report also discovered that many different organizations do not include “third-party service providers and business process outsourcers (BPOs) in their risk management programs, enabling threat actors to exploit client relationships and conduct downstream attacks,” the report says.
One of the last critical findings from the report includes the “juvenile status” of many threat actors, which can limit the ability of Federal law enforcement’s role and “yield lighter penalties under their home countries’ legal frameworks,” states the report.
The CSRB made the following recommendations for technology providers and organizations:
- Move towards a passwordless world and leverage Fast IDentity Online (FIDO)2 solutions;
- Begin working on prioritizing efforts to lower the amount of efficacy of social engineering;
- Build up resiliency against illegal SIM swapping;
- Reinforce the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) oversight and enforcement powers;
- Create plans of action for cyber intrusions and to additionally invest in prevention and recovery capabilities;
- Third-party providers must mature their cybersecurity capabilities, and the U.S. must support these endeavors;
- Advance “whole-of-society” programs and mechanisms for juvenile cybercrime prevention and intervention.;
- Increase timely reporting of cyberattacks to federal responders;
- Increase international law enforcement cooperation; and
- Build resilience for Emergency Disclosure Requests (EDRs) against social engineering attacks.
“As our threat environment evolves, so too must our detection and prevention capabilities. We must also evolve our ability to deploy those capabilities. The CSRB’s findings are not only timely, they are actionable and written with the guidance of real-world practitioners in the private sector,” stated DHS Secretary Alejandro Mayorkas.