A report by the Cyber Safety Review Board (CSRB) into the havoc caused by the Lapsus$ threat group recommends U.S. federal agencies be given enhanced powers to combat fraudulent SIM swapping.
SIM swapping was one of the techniques Lapsus$ used in a spree of attacks in 2021 and 2022 against organizations, including Samsung, Uber and Okta. Members of the group, including a 16-year-old and a 17-year-old, were arrested in the UK and Brazil last year.
Lapsus$ members and related threat actors used simple techniques, like stealing cell phone numbers and phishing employees, to gain access to companies and their proprietary data, the CSRB found. In a SIM swapping attack, scammers contact a service provider to activate a SIM card the actor controls.
"Among its findings, the Board saw a collective failure across organizations to account for the risks associated with using text messaging and voice calls for multi-factor authentication," according to a statement released with the report.
The CSRB, which is led by the Department of Homeland Security, was tasked in December with studying Lapsus$’s crimes and coming up with “actionable recommendations” to protect organizations, customers and employees.
The board’s 59-page report (PDF) was released on Thursday with CSRB Chair Robert Silvers describing it as an examination into “how a loosely organized group of hackers, some of them teenagers, were consistently able to break into the most well-defended companies in the world."
“We uncovered deficiencies in how companies ensure the security of their vendors; how cell phone carriers protect their customers from SIM swapping; and how organizations authenticate users on their systems,” Silvers said in a statement.
The report included the following 10 recommendations:
1. Everyone must progress toward a passwordless world.
Lapsus$’s attacks showed how easy it was for threat actors to obtain authentication strings using a range of methods. “The digital ecosystem needs to prioritize moving beyond use of text-based strings for authentication,” the CSRB said.
2. Organizations should prioritize efforts to reduce the efficacy of social engineering.
“The U.S. government should spearhead the development and promotion of resources that help organizations develop a robust security culture, including monthly training material and example protocols that help deter common social engineering techniques.”
3. Build resiliency against fraudulent SIM swapping.
While the measures telecommunications providers and resellers would need to take to reduce SIM swap attacks would add friction to the customer experience, they were necessary to reduce fraud and follow-on crimes, the CSRB said.
4. Strengthen FCC and FTC oversight and enforcement activities.
“Organizations’ and consumers’ reliance on mobile phones and cellular service make them essential components of the nation’s telecommunications practices,” the report said. “Fraudulent SIM swaps undermine the security and reliability of the telecommunications ecosystem.”
5. Plan for disruptive cyber intrusions and invest in prevention, response, and recovery capabilities.
“Organizations should create roadmaps to rapidly adopt emerging modern architectures that can best defend against disruptive cyber-intrusions caused by groups such as Lapsus$ and related threat actors.”
6. Business process outsourcers (BPOs) and client companies should mature and strengthen their risk management practices to reflect their shared risk, and the U.S. government should support these efforts.
The CSRB said cybersecurity requirements should be written into contracts between organizations and BPOs to ensure BPO operations meet the same level of security as internal company practices. “This should include clear definitions of the service level agreements (SLAs) that enable monitoring and risk management.”
7. Advance “whole-of-society” programs and mechanisms for juvenile cybercrime prevention and intervention.
The board recommended developing stronger U.S. juvenile cybercrime prevention and intervention programs. It referenced a Dutch National High-Tech Crime Unit initiative which includes workshops and an intervention program to deter young people from online criminal activity, offering positive and legal alternatives.
8. Increase timely reporting of cyberattacks to federal responders.
While organizations were not currently required to report cyberattacks, alerting law enforcement and other federal agencies to incidents was key to disrupting ongoing and future incidents, and mitigating risks to other potential victims.
9. Increase international law enforcement cooperation.
As with incident reporting, timely international cooperation was essential to the disruption of cybercrime threats, the CSRB said. “[The report found] that such collaboration between U.S. and international law enforcement partners led to the late 2022 arrest of Lapsus$ members, thereby apparently causing the group’s malicious activities to cease.”
10. Build resilience for emergency disclosure requests (EDRs) against social engineering attacks.
Threat actors can use fake EDRs, purportedly from legitimate emergency agencies, to dupe organizations into disclosing user information. Organizations needed to “devote appropriate resources to the task of verifying the authenticity and credibility of EDRs so that providers reduce mistakes in either direction,” the CSRB said. “For example, providers should examine whether they should design and implement new mechanisms for verifying the authenticity of EDRs using solutions such as standardized digital signatures.”