A federal board charged with studying major hacks and their fallout will focus its next review on the Lapsus$ criminal extortion group, according to officials at the Department of Homeland Security.
The Cyber Safety Review Board — launched earlier this year, led by DHS and composed of top federal cybersecurity officials and private sector experts — will examine the tactics the group has used to break into the networks of some of the largest businesses and organizations in the world, and will develop “actionable recommendations” to protect organizations, customers and employees.
The board’s first report was dedicated to the Log4j vulnerability. In this case, they will turn their eyes to a highly successful group of hackers that have used a variety of clever phishing and vishing schemes to gain access to high-privileged accounts at major companies.
Secretary of Homeland Security Alejandro Mayorkas told reporters in a briefing Friday that the review would put a particular focus on helping the public defend “against innovative social engineering tactics and address the role of international partnerships in combatting criminal cyber actors as cyber threats continue to evolve.”
“The ongoing Lapsus$ hacks represent just the type of activity that merits a fulsome review and can provide forward-looking recommendations to improve the nation’s cybersecurity in the long term,” Mayorkas said. “Lapsus$ has reportedly employed techniques to bypass a range of commonly used security controls — it has successfully infiltrated a number of companies across industries and geographic areas.”
Officials said the board was recently tasked with the review and had not yet reached out to any companies compromised by Lapsus$ for briefings. A date or timeframe for when the report would be completed is yet to be determined.
Rob Silvers, DHS under secretary for policy and chair of the CSRB, said the focus of the review and its subsequent recommendations are designed to flow into DHS’s larger mission of conducting good-faith, voluntary partnerships with the private sector around major hacks and cybersecurity challenges.
“We’re not a regulatory agency, we don’t issue fines, we don’t punish. This is about better security going forward,” Silvers said.
How did Lapsus$ breach well-regarded security programs?
The choice represents the latest effort by U.S. and international allies to turn up the heat on the hacking and extortion group after it conducted a string of successful and high-profile breaches over the past year. In March, seven alleged members of the group — all between the ages of 16 and 21 — were arrested in London while the FBI issued an alert to the public seeking tips on the group and its members the same month.
The success of Lapsus$ hackers against what the board perceives as well-resourced and hardened targets was of particular concern.
“Some of these victims are reported to have very good security programs, many using recommended security controls — even advanced controls — which tells us there’s a real need to look at what’s happening deeper here,” said Heather Adkins, vice president of security engineering at Google and deputy chair of the board.
CISA, the FBI and other federal agencies already routinely collaborate on joint advisories and alerts to the public that focus on specific hacking groups, the tactics they leverage and how to defend against their attacks. Board members said a Lapsus$ review by the CSRB would differ from those products because of the unique public-private composition of the board and its ability to gain cooperation from victim companies in order to obtain insights.
Silvers said the board would engage with companies, security researchers and others through interviews and requests for information, citing a similar process during the Log4j investigation that yielded an “authoritative” timeline of the vulnerability’s emergence and more “impactful” recommendations.
Adkins said that those alerts and advisories give board members a baseline of information to ask different questions and proceed at a “different pace and different timeline and with the ability to go much deeper.”
“Whereas a lot of the joint advisories and alerts that come out from various parts of the industry in real time are often very targeted, at-moment-in-time improvements that organizations can take to defend themselves, we’re hoping with these comprehensive reviews we can additionally go deeper and provide the kind of advice that creates new foundations for cybersecurity in the ecosystem, so not just how companies can best defend themselves today but how we can really solve some of these more systemic issues in the ecosystem.”
