The Department of Homeland Security announced Friday that the Cyber Safety Review Board’s next investigation will focus on the Lapsus$ hacking group.
The decision to focus on a hacking group represents a departure from the body’s inaugural investigation, which reviewed a specific cyber vulnerability. That report focused on Log4j, a vulnerability in a widely used logging library. This time around the CSRB will study the actions of Lapsus$, a notorious hacking group that has targeted a slew of companies and attempted to extort them in exchange for not releasing stolen data.
In September, British police arrested a British teenager as part of an investigation into a major hack of Uber. The company has said it is working closely with the FBI and that it believes Lapsus$ is responsible for the intrusion.
“The ongoing Lapsus$ hacks represent just the type of activity that merits a fulsome review and can provide forward-looking recommendations to improve the nation’s cybersecurity in the near term,” Secretary of Homeland Security Alejandro Mayorkas told reporters Friday morning.
Mayorkas’ description of Lapsus$ as an “ongoing” threat actor raised questions about whether the CSRB’s work could lead to a prosecution. DHS Undersecretary for Policy and CSRB Chair Rob Silvers, who also participated in the briefing, declined to comment, referring questions to the Department of Justice.
Modeled on the National Transportation Safety Board’s review process for accidents, the CSRB brings together officials from government and industry to study major breaches and vulnerabilities. DHS officials said the CSRB will develop “actionable recommendations” for how organizations can protect themselves against attacks similar to those from Lapsus$.
Silvers told reporters that Lapsus$ is the perfect target for the CSRB’s next review and described Lapsus$ as a global, extortion-focused hacker group that has launched attacks on some of the world’s “most well-resourced companies.”
“This is exactly the type of review that will benefit network defenders across this country,” Silvers said.
Lapsus$ burst onto the cybercrime scene in December 2021 with an attack on the Brazilian Ministry of Health and, over the course of the following months, added major international firms to its victim list, including Okta, Nvidia, Samsung, Ubisoft, T-Mobile, Microsoft, Uber and Rockstar Games, the company behind video game juggernaut Grand Theft Auto.
An analysis from Microsoft published in March noted that the group was known for “using a pure extortion and destruction model without deploying ransomware payloads.” The group didn’t “seem to cover its tracks,” Microsoft said at the time, and would go as far as “announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations.”
The group specializes in phone-based social engineering, SIM-swapping, and paying company insiders for access, Microsoft added.
The arrest of the 17-year-old British teenager in September was followed a month later by an arrest in Brazil of a purported member of the group, authorities there reported.
AJ Vicens contributed reporting to this article.
Updated Dec. 2, 2022: This article has been updated with additional details about Lapsus$’s operations.
Corrected Dec. 2, 2022: An earlier version of this story misstated which Department of Homeland Security official referred a question regarding the potential prosecutions to the Department of Justice. It was Rob Silvers, not Alejandro Mayorkas.