Highlights:

  • The report examines prior Lapsus$ attacks and how the group used basic strategies to overcome industry-recognized security measures.
  • The analysis highlights the urgent need for telecommunications companies to enhance customer protection systems, particularly considering concerns posed by SIM swapping.

The Lapsus$ hacker group was the subject of a new report from the US Department of Homeland Security’s Cyber Safety Review Board. The report recommends that mobile phone operators use more rigorous authentication procedures to protect consumers from SIM swapping.

The report examines prior Lapsus$ attacks and how the group used basic strategies to overcome industry-recognized security measures. In 2021, Lapsus$ first appeared on the hacker landscape, and its members attacked well-known targets like Okta Inc. and Microsoft Corp.

Lapsus$ used approaches that do not entail sophisticated hacking techniques but instead exploited already existing system weaknesses, particularly inside multifactor authentication systems, to evade well-established security controls. According to the board’s assessment, the group’s main entrance points were SIM switching and other commonplace techniques like phishing.

The CSRB research explores the inherent hazards of primarily relying on text messaging and voice conversations as the critical multifactor authentication methods, given the group’s fondness for SIM swapping. It is believed that the over-reliance on voice conversations and text messages for MFA has made it easier for hacking organizations like Lapsus$ to use SIM swapping as a backdoor into guarded corporate networks. The CSRB is urging a shift toward more secure, password-free solutions to address these vulnerabilities.

The analysis highlights the urgent need for telecommunications companies to enhance customer protection systems, particularly considering concerns posed by SIM swapping. The report also urged regulatory authorities to enforce and standardize methods to defend against the attacks, including the Federal Communications Commission and the Federal Trade Commission.

Rosa Smothers, the former Cyberthreat Analyst at Central Intelligence Agency and currently serving as an Executive at security awareness training company KnowBe4 Inc., reported, “Lapsus$ and related threat actors are using basic techniques to gain an entry point into companies. Their primary attack vectors — SIM swap attacks and phishing employees — can be easily addressed, especially for companies like Microsoft and Okta that are so well-resourced.”

Smothers mentions that although CSRB has no regulatory authority, the research can help federal agencies bring change. “The recent SEC policy requiring disclosure of ‘material’ breach incidents within four days and the Department of Defense’s Cybersecurity Maturity Model Certification framework are great examples of how the federal government’s security requirements can drive positive change in the private sector,” she added.