By Mark Lanterman
In August the Cyber Safety Review Board (CSRB)1 put forth its second report, “Review of the Attacks Associated with Lapsus$ and Related Threat Groups.”2 Lapsus$ was an organized hacking group, unique for its members and motivations. Beginning in 2019, the group targeted multiple organizations and entities using tactics that ranged from simple social engineering to advanced technological tools.3 The group seemed to have a number of reasons for their attacks, from political ideologies to simply showing off. Recently, a court found that an 18-year-old from Oxford was a member of Lapsus$, even having leaked clips of an unreleased game online while violating his bail conditions.4
According to a BBC report, “The gang—thought to mostly be teenagers—used con-man like tricks as well as computer hacking to gain access to multinational corporations such as Microsoft, the technology giant, and digital banking group Revolut. During their spree the hackers regularly celebrated their crimes publicly and taunted victims on the social network app Telegram.”5 The string of attacks offered insight into the security vulnerabilities existing within even the best-defended organizations; the CSRB report provides an in-depth analysis of the attacks and strategies for dealing with the most successful methods of intrusion.
The CSRB found that typical multi-factor authentication (MFA) methods were largely insufficient for protecting most organizations and consumers. “In particular,” the report noted, “the Board saw a collective failure to sufficiently account for and mitigate the risks associated with using Short Message Service (SMS) and voice calls for MFA.”6 SIM swapping attacks were frequently used by Lapsus$ to bypass MFA protections, and information obtained via “underground markets” was used to get access to victims, sometimes through their own third-party vendors.
Having reviewed what made this group’s attacks so successful (and why some organizations were able to effectively defend themselves), the CSRB made several recommendations on how to improve cybersecurity postures and stay resilient against similar attacks. Its summary of the types of organizations best able to defend themselves or mitigate damages is worth bearing in mind:
1. organizations with mature, defense-in-depth controls;
2. organizations that used application or token-based MFA methods and network intrusion detection systems;
3. organizations that effectively followed their incident response plans; and
4. organizations that were able to communicate safely with incident response professionals without being monitored by threat actors.
While Lapsus$ may have disbanded—or rebranded—similar cybercrime groups can easily materialize. Security methods should always be assessed for optimal protection, such as standard MFA practices. The episode is also a reminder that third-party vendor relationships are critical pieces of an overall security posture and that clear contract language is important in managing data. As the CSRB report demonstrates, attackers will often attack a target through its vendors. Resiliency, smooth incident response procedures, and clear communication with necessary external parties can help organizations recover as quickly as possible when cyberattacks do occur.
While Lapsus$ as it once existed may or may not be finished, organized cybercrime groups will continue to pose significant risks. The report describes a need for additional law enforcement involvement as well as intervention programs for young offenders. Though recommendations are given for individual organizations to improve internally, overarching changes to what we consider “basic” cybersecurity are proposed as well:
“We need better technologies that move us towards a passwordless world, negating the effects of credential theft. We need telecommunications providers to design and implement processes and systems that keep attackers from hijacking mobile service. We need to double down on zero trust architectures that assume breach. We need organizations to design their security programs to cover not only their own information technology environments, but also those of their vendors that host critical data or maintain direct network access.”7
The Cyber Safety Review Board’s most recent review is important for organizations looking to gain a fresh perspective on their current practices, especially in light of cybercrime groups capable of bypassing even the strongest security measures. The group’s next report will delve into cloud computing and keeping data secure regardless of where it is stored.
Mark Lanterman is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
Notes
1 https://www.cisa.gov/resources-tools/groups/cyber-safety-review-board-csrb
2 https://www.cisa.gov/sites/default/files/2023-08/CSRB_Lapsus%24_508c.pdf
3 https://www.forbes.com/sites/emilsayegh/2023/03/15/teenagers-leveraging-insider-threats-lapsus-hacker-group/?sh=5b859ba64e43
4 https://www.bbc.com/news/technology-66549159
5 Id.
6 Supra note 2.
7 Id.