Today, the U.S. Department of Homeland Security (DHS) released the Cyber Safety Review Board’s (CSRB) report summarizing the findings of its review into the activities associated with a threat actor group known as Lapsus$. The CSRB found that Lapsus$ leveraged simple techniques to evade industry-standard security tools that are a lynchpin of many corporate cybersecurity programs and outlined 10 actionable recommendations for how government, companies, and civil society can better protect against Lapsus$ and similar groups. The report was delivered to President Joseph R. Biden, Jr. through Secretary of Homeland Security Alejandro N. Mayorkas.
“Our ability to protect Americans from cyber vulnerabilities has never been stronger thanks to the community we are building through the Cyber Safety Review Board,” said Secretary of Homeland Security Alejandro N. Mayorkas. “As our threat environment evolves, so too must our detection and prevention capabilities. We must also evolve our ability to deploy those capabilities. The CSRB’s findings are not only timely, they are actionable and written with the guidance of real-world practitioners in the private sector.”
Beginning in late 2021 and late into 2022, Lapsus$ reportedly employed techniques to bypass a range of commonly used security controls and successfully infiltrated dozens of well-resourced organizations. The CSRB engaged with nearly 40 organizations and individuals — including representatives from threat intelligence firms, incident response firms, targeted organizations, international law enforcement organizations, as well as individual researchers and subject matter experts, and companies targeted in the attacks — to better understand the incidents and recommend safety improvements for the future.
The CSRB found that Lapsus$ and related threat actors used primarily simple techniques, like stealing cell phone numbers and phishing employees, to gain access to companies and their proprietary data. Among its findings, the Board saw a collective failure across organizations to account for the risks associated with using text messaging and voice calls for multi-factor authentication. It calls for organizations to immediately switch to more secure, easy-to-use, password-less solutions by design. The report also includes recommendations for cell phone carriers to better protect their customers by implementing stringent authentication methods, and for the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) to mandate and standardize best practices to combat SIM swapping.
“The Board examined how a loosely organized group of hackers, some of them teenagers, were consistently able to break into the most well-defended companies in the world,” said CSRB Chair and DHS Under Secretary for Policy Robert Silvers. “We uncovered deficiencies in how companies ensure the security of their vendors; how cell phone carriers protect their customers from SIM swapping; and how organizations authenticate users on their systems. The Board put forward specific recommendations to address these issues and more, in line with the Board’s mandate to conduct comprehensive after-action reviews of the most significant cyber incidents.”
“The Cyber Safety Review Board took on this review to better understand Lapsus$’s tactics and help organizations protect themselves,” said CSRB Deputy Chair Heather Adkins. “Our findings noted the weaknesses with many current methods of authentication, and we provide timely and actionable recommendations for all organizations to put stronger defenses in place.”
“The CSRB’s latest report reinforces the need for all organizations to take urgent steps to increase their cyber resilience, including the implementation of phishing-resistant multi-factor authentication,” said Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly. “I look forward to working with our federal and industry partners to act on the CSRB’s recommendations, to include continuing our secure-by-design work with technology manufacturers to ensure that necessary security features are provided to customers without additional cost.”
As directed by President Biden through Executive Order 14028 Improving the Nation’s Cybersecurity, Secretary Mayorkas established the CSRB in February 2022. The CSRB provides a unique forum for leading government and industry experts to review significant cybersecurity events and provide recommendations to better protect our nation. DHS and the CSRB are committed to transparency and will, whenever possible, release public versions of CSRB reports, consistent with applicable law and the need to protect sensitive information from disclosure.
To read the full report, visit CISA.gov/CSRB.