Executive Summary
Beginning in late 2021 and continuing late into 2022, a globally active, extortion-focused cyber threat actor group attacked dozens of well-known companies and government agencies around the world. It penetrated corporate networks, stole source code, demanded payments while rarely following up, lodged political messages in shadowy online forums, and swiftly moved on to its next targets. The cyberattacks were not the work of a nation-state actor, nor did they always involve particularly complex or advanced tooling or methods. Yet the attacks were consistently effective against some of the most well-resourced and well-defended companies in the world. These headline-grabbing incidents were perpetrated by a loosely organized threat actor group known as Lapsus$. Lapsus$ exploited systemic ecosystem weaknesses to infiltrate and extort organizations, sometimes appearing to do so for nothing more than attention and public notoriety.
Lapsus$ operated against a backdrop of other criminal groups employing similar methods that were studied as part of this review. These groups demonstrated the still-prevalent vulnerabilities in our cyber ecosystem. They showed adeptness in identifying weak points in the system—like downstream vendors or telecommunications providers—that allowed onward access to their intended victims. They also showed a special talent for social engineering, luring a target’s employees to essentially open the gates to the corporate network.
Lapsus$’s and similar groups’ success sounds a warning to organizations across the globe, shining a light on the fragility of our interconnected digital infrastructure. Lapsus$ exploited, to great and wide effect, a playbook of effective techniques, which other threat actors can also use. If richly resourced cybersecurity programs were so easily breached by a loosely organized threat actor group, which included several juveniles, how can organizations expect their programs to perform against well-resourced cybercrime syndicates and nation-state actors? The Cyber Safety Review
Board (CSRB, or the Board) therefore focused intently on what additional security controls and improvements can bring needed change to the status quo.
The Board found that the multi-factor authentication (MFA) implementations used broadly in the digital ecosystem today are not sufficient for most organizations or consumers. In particular, the Board saw a collective failure to sufficiently account for and mitigate the risks associated with using Short Message Service (SMS) and voice calls for MFA. In several instances, attackers gained initial access to targeted organizations through Subscriber Identity Module (SIM) swapping attacks, which allowed them to intercept one-time passcodes and push notifications sent via SMS,
effectively defeating this widely used MFA control. A lucrative SIM swap criminal market further enabled this pay-foraccess to a target’s mobile phone services. Despite these factors, adopting more advanced MFA capabilities remains a challenge for many organizations and individual consumers due to workflow and usability issues.
Initial access brokers (IABs) and the “infostealer” malware ecosystem—whereby anyone can buy valid login credentials for a target (“access as a service”)—were highly effective means of initial entry. Threat actor groups highly leveraged these underground markets to directly target organizations, but also targeted the organization’s third-party servicers and business process outsourcers (BPOs). Organizations did not always consider third parties and BPOs in their risk
management programs.
Lapsus$ was not successful in all its attempted attacks. The Board found that organizations with mature, defense-indepth controls were most resilient to these threat actor groups. Organizations that used application or token-based MFA methods or employed robust network intrusion detection systems, including rapid detection of suspicious account activity, were especially resilient. Organizations that maintained and followed their established incident response procedures significantly mitigated impacts. Highly effective organizations employed mechanisms such as out-of-band communications that allowed incident response professionals to coordinate response efforts without being monitored by the threat actors.
Through extensive efforts, international law enforcement eventually apprehended several of the perpetrators. Yet, those and similar United States (U.S.) government cybersecurity efforts remain unnecessarily hamstrung. In general, law enforcement remains underfunded for resource- and data-intensive investigations and disruptions against the full breadth of cyber threat actors. Similarly, chronic underreporting from the private sector of threats or incidents hampers the federal government’s ability to warn other targeted entities, recommend mitigation measures, take down malicious
infrastructure, seize ill-gotten cryptocurrency or fiat currency, bring those responsible to justice, or otherwise disrupt malicious activity.
In this review, the Board learned that some of the perpetrators were teenagers. In several jurisdictions, a perpetrator’s juvenile status can yield lighter penalties and less severe consequences that may encourage young cybercriminals to re-offend. The Board also noted that while the United Kingdom and the Netherlands have nascent efforts to create pathways for steering talented young hackers away from cybercrime, similar community prevention programs do not exist in the U.S. Resourcing both law enforcement and intervention efforts needs rebalancing.