A report by the Cyber Safety Review Board outlines findings on the activities associated with an extortion-focused threat actor group called Lapsus$ and offers 10 recommendations for government and industry stakeholders to protect their infrastructure from cyberthreats posed by Lapsus$ and related groups.
The CSRB report found that Lapsus$ performed attacks against dozens of government agencies and companies between 2021 and 2022 by exploiting vulnerabilities in identity and access management systems, stealing source code, infiltrating corporate networks and demanding ransom payments.
“The Board examined how a loosely organized group of hackers, some of them teenagers, were consistently able to break into the most well-defended companies in the world,” Robert Silvers, chair of CSRB and undersecretary for policy at the Department of Homeland and Security, said in a statement published Thursday.
“We uncovered deficiencies in how companies ensure the security of their vendors; how cell phone carriers protect their customers from SIM swapping; and how organizations authenticate users on their systems,” added Silvers, a previous Wash100 awardee.
The board presented its recommendations through four themes: strengthen identity and access management; mitigate telecommunication and reseller vulnerabilities; build resiliency across multiparty systems with a focus on business process outsourcers; and address law enforcement challenges and juvenile cybercrime.
For the IAM aspect, CSRB offered two specific recommendations and these are transitioning to passwordless technologies such as Fast IDentity Online or FIDO2-compliant, hardware-backed systems and reducing the efficacy of social engineering attacks by adopting phishing-resistant, multifactor authentication methods.
The board also recommends that the Federal Communications Commission and Federal Trade Commission implement best practices and direct regular reporting of fraudulent SIM swaps.
DHS issued the board’s report on Thursday. The department formed CSRB in February 2022 in accordance with the Biden administration’s cybersecurity executive order.