DHS Cyber Safety Review Board to focus on Lapsus$ hackers

Written by Suzanne Smalley
The Department of Homeland Security announced Friday that the Cyber Safety Review Board’s next investigation will focus on the Lapsus$ hacking group.
The decision to focus on a hacker group represents a departure from the body’s initial investigation, which reviewed a specific cyber vulnerability. That report focused on Log4j, a vulnerability in a widely used logging library. This time, the CSRB will study the actions of Lapsus$, a notorious hacking group that has targeted a number of companies and tried to extort them in exchange for not releasing stolen data.
In September, British police arrested a British teenager as part of an investigation into a major hack of Uber. The company has said it is working closely with the FBI and that it believes Lapsus$ is responsible for the breach.
“The ongoing Lapsus$ hacks represent exactly the type of activity that deserves a thorough review and can provide forward-looking recommendations to improve the nation’s cybersecurity in the near term,” Secretary of Homeland Security Alejandro Mayorkas told reporters Friday morning.
Mayorka’s description of Lapsus$ as an “ongoing” threat actor raised questions about whether the CSRB’s work could lead to prosecution. DHS Undersecretary for Policy and CSRB Chair Rob Silvers, who also attended the briefing, declined to comment and referred questions to the Justice Department.
Modeled on the National Transportation Safety Board’s accident review process, the CSRB brings together government and industry officials to study major breaches and vulnerabilities. DHS officials said the CSRB will develop “recommendations” for how organizations can protect themselves against attacks similar to those from Lapsus$.
Silvers told reporters that Lapsus$ is the perfect target for the CSRB’s next review and described Lapsus$ as a global, extortion-focused hacker group that has launched attacks on some of the world’s “most resource-rich companies.”
“This is exactly the type of review that will benefit network defenders across this country,” Silvers said.
Lapsus$ burst onto the cybercrime scene in December 2021 with an attack on the Brazilian Ministry of Health, and in the following months added major international firms to the victim list, including Okta, Nvidia, Samsung, Ubisoft, T-Mobile, Microsoft, Uber and Rockstar Games , the company behind the video game juggernaut Grand Theft Auto.
An analysis by Microsoft published in March noted that the group was known to “use a pure extortion and destruction model without distributing ransomware.” The group did not appear to be covering its tracks, Microsoft said at the time, and would go so far as to “announce their attacks on social media or advertise their intent to purchase credentials from employees of target organizations.”
The group specializes in phone-based social engineering, SIM swapping and paying corporate insiders for access, Microsoft added.
The arrest of the 17-year-old British teenager in September was followed a month later by an arrest in Brazil of an alleged member of the group, authorities there reported.
AJ Vicens contributed reporting to this article.
Updated December 2, 2022: This article has been updated with additional details about Lapsus$’s operations.
Corrected 2 December 2022: An earlier version of this story misstated which Department of Homeland Security official referred a question about potential prosecutions to the Justice Department. It was Rob Silver’s, not Alejandro Mayorka’s.