Cyber Safety Review Board cites 10 recommendations for government, industry amid report on hacker group Lapsus$

Global hacker group Lapsus$ took top billing in the latest report from the United States Cyber Safety Review Board (CSRB), and though its techniques were found to be simple, its threat is anything but, prompting a series of recommendations for greater protections.

The CSRB operates under the U.S. Department of Homeland Security (DHS), and in this role, sought to better understand Lapsus$’s tactics and help organizations protect themselves from it. In this capacity, it found weaknesses with many current methods of authentication among government and industry. In fact, Lapsus$’s techniques generally allow it to evade industry-standard security tools.

“The Board examined how a loosely organized group of hackers, some of them teenagers, were consistently able to break into the most well-defended companies in the world,” Robert Silvers, CSRB chair and DHS Under Secretary for Policy, said. “We uncovered deficiencies in how companies ensure the security of their vendors; how cell phone carriers protect their customers from SIM swapping; and how organizations authenticate users on their systems. The Board put forward specific recommendations to address these issues and more, in line with the Board’s mandate to conduct comprehensive after-action reviews of the most significant cyber incidents.”

Lapsus$ caught the attention of DHS in late 2021 and 2022 when it began to bypass commonly used security controls to infiltrate dozens of seemingly well-resourced organizations. In interviewing nearly 40 organizations and individuals on the subject, CSRB found that Lapsus$ and related groups use techniques that are, overall, simple in nature – stealing cell phone numbers, phishing employees, and the like.

However, organizations collectively failed to account for the risks of using text messaging and voice calls for multi-factor authentication, and the Board called for them to switch to more secure, easy-to-use, password-less solutions. In terms of cell phone carriers, the CSRB also urged better protections for customers by deploying stricter authentication methods, bolstered by federal crackdowns on SIM swapping. Otherwise, corporate access and proprietary data will remain at risk.

“Our ability to protect Americans from cyber vulnerabilities has never been stronger thanks to the community we are building through the Cyber Safety Review Board,” Secretary of Homeland Security Alejandro Mayorkas said. “As our threat environment evolves, so too must our detection and prevention capabilities. We must also evolve our ability to deploy those capabilities. The CSRB’s findings are not only timely, they are actionable and written with the guidance of real-world practitioners in the private sector.”