US government finally releases report on Lapsus$ gang

It turns out that the Lapsus$ gang, famous for its teenage members, used straightforward techniques, a long-awaited report on the collective by the US government says. Recommendations on defensive actions against future attacks are included.

The report is authored by the US Department of Homeland Security Cyber Safety Review Board (CSRB).

It started working on the report last December, after a number of high-profile Lapsus$ cyber crimes in 2022 led to police action in the United Kingdom and Brazil. The gang is no longer active.

Over the course of about two years, Lapsus$ members infiltrated a number of high-profile targets, including Microsoft, Nvidia, and Okta, often using some combination of social engineering, phishing, credential theft, SIM swapping, and MFA-evasion techniques.

Well-known tactics

At times, it seemed that Lapsus$ was working very effectively and was using more complex techniques than other gangs.

“Its mindset was on full display for the world to see and Lapsus$ made clear just how easy it was for its members (juveniles, in some instances) to infiltrate well-defended organizations. Lapsus$ seemed to work at various times for notoriety, financial gain, or amusement, and blended a variety of techniques,” the report said.

However, an analysis of the activities and capabilities of the Lapsus$ group found that its members actually used well-known tactics and techniques in its operations.

“In fact, Lapsus$ did not use the type of novel zero-day techniques the industry is used to seeing frequently in the news.”

The US Department of Homeland Security Cyber Safety Review Board.

Lapsus$ attackers allegedly took advantage of known weaknesses in enterprise networks and the procedures of technology providers in order to gain access to targets and steal sensitive data. They weren’t exploiting any technical weakness.

In a small number of incidents, the group exploited known vulnerabilities, but most of the time, Lapsus$ members favored simple, easy-to-execute attacks to gain access to their targets – they relied on old fashioned research and reconnaissance, the CSRB report says.

“Generally, the threat actors did not deploy custom tools, preferring well-known tools built by others or ‘living off the land.’ Lapsus$ did not fall into that category of threat actor that grabs most of the headlines: the nation-state threat actor with well-resourced offensive tactics that lurks behind the scenes for years at a time or the transnational ransomware groups that cost the global economy billions of dollars,” it adds.

“In fact, Lapsus$ did not use the type of novel zero-day techniques the industry is used to seeing frequently in the news.”

Cybersecurity analyst Digital Shadows went one step further last year, when it said in a report that Lapsus$ literally faked its status as a ransomware group and grossly exaggerated the scale of its attacks.

A passwordless world

The CSRB members said that enterprises and government agencies need to renew their focus on the security basics while also moving toward more modern architectures and defensive methods. For instance, moving towards a “passwordless world” is recommended because it would negate the effects of credential theft.

Still, the CSRB found that organizations with mature security programs and well-designed incident response procedures fared pretty well against Lapsus$ and other similar groups.

“Organizations that used application or token-based MFA methods or employed robust network intrusion detection systems, including rapid detection of suspicious account activity, were especially resilient,” the report says.

The CSRB also recommended that organizations report cyber incidents to law enforcement as soon as possible and continue to share relevant information with CISA and other agencies during an investigation. This helps not only the specific victim organization, but also other potential victims.