DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

CISA: Review Of The Attacks Associated with Lapsus$ And Related Threat Groups Report

Posted on August 11, 2023 by Dissent

Executive Summary

Beginning in late 2021 and continuing late into 2022, a globally active, extortion-focused cyber threat actor group attacked dozens of well-known companies and government agencies around the world. It penetrated corporate networks, stole source code, demanded payments while rarely following up, lodged political messages in shadowy online forums, and swiftly moved on to its next targets. The cyberattacks were not the work of a nation-state actor, nor did they always involve particularly complex or advanced tooling or methods. Yet the attacks were consistently effective against some of the most well-resourced and well-defended companies in the world. These headline-grabbing incidents were perpetrated by a loosely organized threat actor group known as Lapsus$. Lapsus$ exploited systemic ecosystem weaknesses to infiltrate and extort organizations, sometimes appearing to do so for nothing more than attention and public notoriety.

Lapsus$ operated against a backdrop of other criminal groups employing similar methods that were studied as part of this review. These groups demonstrated the still-prevalent vulnerabilities in our cyber ecosystem. They showed adeptness in identifying weak points in the system—like downstream vendors or telecommunications providers—that allowed onward access to their intended victims. They also showed a special talent for social engineering, luring a target’s employees to essentially open the gates to the corporate network.

Lapsus$’s and similar groups’ success sounds a warning to organizations across the globe, shining a light on the fragility of our interconnected digital infrastructure. Lapsus$ exploited, to great and wide effect, a playbook of effective techniques, which other threat actors can also use. If richly resourced cybersecurity programs were so easily breached by a loosely organized threat actor group, which included several juveniles, how can organizations expect their programs to perform against well-resourced cybercrime syndicates and nation-state actors? The Cyber Safety Review
Board (CSRB, or the Board) therefore focused intently on what additional security controls and improvements can bring needed change to the status quo.

The Board found that the multi-factor authentication (MFA) implementations used broadly in the digital ecosystem today are not sufficient for most organizations or consumers. In particular, the Board saw a collective failure to sufficiently account for and mitigate the risks associated with using Short Message Service (SMS) and voice calls for MFA. In several instances, attackers gained initial access to targeted organizations through Subscriber Identity Module (SIM) swapping attacks, which allowed them to intercept one-time passcodes and push notifications sent via SMS,
effectively defeating this widely used MFA control. A lucrative SIM swap criminal market further enabled this pay-foraccess to a target’s mobile phone services. Despite these factors, adopting more advanced MFA capabilities remains a challenge for many organizations and individual consumers due to workflow and usability issues.

Initial access brokers (IABs) and the “infostealer” malware ecosystem—whereby anyone can buy valid login credentials for a target (“access as a service”)—were highly effective means of initial entry. Threat actor groups highly leveraged these underground markets to directly target organizations, but also targeted the organization’s third-party servicers and business process outsourcers (BPOs). Organizations did not always consider third parties and BPOs in their risk
management programs.

Lapsus$ was not successful in all its attempted attacks. The Board found that organizations with mature, defense-indepth controls were most resilient to these threat actor groups. Organizations that used application or token-based MFA methods or employed robust network intrusion detection systems, including rapid detection of suspicious account activity, were especially resilient. Organizations that maintained and followed their established incident response procedures significantly mitigated impacts. Highly effective organizations employed mechanisms such as out-of-band communications that allowed incident response professionals to coordinate response efforts without being monitored by the threat actors.

Through extensive efforts, international law enforcement eventually apprehended several of the perpetrators. Yet, those and similar United States (U.S.) government cybersecurity efforts remain unnecessarily hamstrung. In general, law enforcement remains underfunded for resource- and data-intensive investigations and disruptions against the full breadth of cyber threat actors. Similarly, chronic underreporting from the private sector of threats or incidents hampers the federal government’s ability to warn other targeted entities, recommend mitigation measures, take down malicious
infrastructure, seize ill-gotten cryptocurrency or fiat currency, bring those responsible to justice, or otherwise disrupt malicious activity.

In this review, the Board learned that some of the perpetrators were teenagers. In several jurisdictions, a perpetrator’s juvenile status can yield lighter penalties and less severe consequences that may encourage young cybercriminals to re-offend. The Board also noted that while the United Kingdom and the Netherlands have nascent efforts to create pathways for steering talented young hackers away from cybercrime, similar community prevention programs do not exist in the U.S. Resourcing both law enforcement and intervention efforts needs rebalancing.

Access the full report at CISA (pdf).

Related posts:

  • The President Ordered a Board to Probe a Massive Russian Cyberattack. It Never Did.
Category: Business SectorCommentaries and AnalysesHackOf Note

Post navigation

← HHS HC3: Multi-Factor Authentication & Smishing
Florida Healthy Kids notified by Maximus of MOVEit breach →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Hunters International to provide free decryptors for all victims as they shut down (1)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case
  • Cyberattacks Disrupt Iran’s Bread Distribution, Payments Remain Frozen
  • Hacker with ‘political agenda’ stole data from Columbia, university says
  • Keymous+ Hacker Group Claims Responsibility for Over 700 Global DDoS Attacks
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • DOJ investigates ex-ransomware negotiator over extortion kickbacks
  • Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
  • One in Five Law Firms Hit by Cyberattacks Over Past 12 Months
  • U.S. Sanctions Russian Bulletproof Hosting Provider for Supporting Cybercriminals Behind Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute
  • Wisconsin Supreme Court’s Liberal Majority Strikes Down 176-Year-Old Abortion Ban
  • 20 States Sue HHS to Stop Medicaid Data Sharing with ICE

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report