The United States government has geared up to tackle the menace of Lapsus$, a highly sophisticated hacker group known to have infiltrated companies like Microsoft, Nvidia, Samsung, T-Mobile, Uber, and Okta.
The US government and the Cybersecurity and Infrastructure Security Agency (CISA) have comprehensively reviewed the group’s tactics. The findings shed light on the alarming ease with which this loosely-organised group, comprised mainly of teenagers, managed to breach well-defended organisations. The analysis further reveals their exploitation of common techniques involving social engineering, phishing, credential theft, SIM swapping, and MFA-evasion methods.
However, the group’s main weapon is still SIM swapping, a process wherein hackers acquire control of a target’s phone number, often through social engineering, enabling them to intercept two-factor authentication codes and gain unauthorised access to sensitive documents.
While the group occasionally capitalised on known software vulnerabilities, most of their incursions hinged on straightforward, easily executable attacks that enabled them to breach their targets.
CISA has called upon the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) to institute more stringent regulations to combat the threat of SIM-swapping attacks. A recent FCC proposal aims to mandate secure customer authentication methods during SIM swaps to mitigate vulnerabilities exposed by Lapsus$.
CISA’s report underscores the necessity of transitioning from traditional voice and SMS-based multifactor authentication to more secure, passwordless alternatives. One such solution, the FIDO2 standard, permits users to log in using biometric data or hardware-based security keys, bolstering protection against cyber threats like those executed by Lapsus$.
CISA has urged telecommunications providers to implement a more rigorous SIM-swapping authentication process in tandem with advocating passwordless authentication. This would involve empowering customers to lock their accounts to prevent unauthorised SIM swaps and enforcing robust identity verification protocols. Transparency and timely communication with account holders about any SIM swap activity is also part of CISA’s proposal strategy.
The Lapsus$ investigation also prompted CISA to recommend establishing juvenile cybercrime prevention programs, emphasising proactive measures to deter young individuals from engaging in cybercriminals’ activities. To curb the burgeoning threat of young hackers, the agency has proposed Congressional funding to support educational initiatives highlighting the legal and ethical consequences of cybercrimes.
Lapsus$ gained infamy in 2022 for infiltrating notable corporations. The group compromised 90 videos of unreleased gameplay footage from Rockstar’s upcoming Grand Theft Auto VI. The group’s audacity and impact led to the arrests of several members and brought their activities under intense scrutiny.