Cyber Safety Review Board (CSRB) investigative report on Lapsus$ Hacking Group
Lapsus$ constitutes a predominantly adolescent, loosely-organized hacker collective. However, reports reveal that from the latter part of 2021 to the end of 2022, Lapsus$ employed various techniques to circumvent conventional security measures and successfully infiltrated dozens of companies with robust security frameworks. This attracted the attention of the United States Cyber Safety Review Board (CSRB).
Prominent companies affected by the Lapsus$ hacking group include Microsoft, Cisco, Okta, Nvidia, T-Mobile, Samsung, Uber, Vodafone, Ubisoft, and Globant, among others.
On August 10th, the U.S. Department of Homeland Security (DHS) released the findings of the United States Cyber Safety Review Board (CSRB) on the activities of Lapsus$. The inquiry exposed that Lapsus$ managed to bypass key elements of corporate cyber defenses using rudimentary techniques. The CSRB discovered that the Lapsus$ hacking group and associated threat actors primarily resorted to low-cost techniques, such as mobile number theft and phishing attacks on employees, to gain access to proprietary corporate data. The report noted a collective failure in organizations to consider the risks associated with SMS and voice call-based multi-factor authentication.
“Lapsus$ operated against a backdrop of other criminal groups employing similar methods … these groups demonstrated the still-prevalent vulnerabilities in our cyber ecosystem. They showed adeptness in identifying weak points in the system—like downstream vendors or telecommunications providers—that allowed onward access to their intended victims,” stated the CSRB.
According to the report, the gang mainly leveraged SIM card swap attacks to access targeted companies’ internal networks and steal confidential information (such as source code, proprietary technology details, or files relating to businesses and customers). During this process, the threat actors would transfer the victim’s mobile number to a SIM card under their control. The success rate of this technique depended on social engineering and insiders within the victim’s mobile carrier. Once in possession of the victim’s mobile number, the attackers could access various corporate services or breach corporate networks by receiving temporary codes required for SMS-based two-factor authentication (2FA).
In one instance, Lapsus$ attempted to breach mobile accounts associated with FBI and Department of Defense personnel by exploiting unauthorized access to telecom providers. As these accounts had additional security measures, the attack attempt was unsuccessful.
The CSRB included several recommendations in its report to counter such attacks:
- Implement secure identity and access management solutions, transition to a passwordless environment, and abandon SMS as a method for two-factor authentication.
- Employ strong authentication features that can withstand MFA network phishing, prioritizing the reduction of the effectiveness of social engineering.
- Telecom providers should regard SIM card swapping as a high-privilege operation that requires robust authentication and offer consumers the option to lock their accounts.
- Plan for potentially disruptive cyber attacks, investing in prevention, response, and recovery measures.
- Adopt a zero-trust model and enhance authentication practices, among others.