DHS cyber safety board to probe Lapsus$ hacks
The Homeland Security Department on Friday announced its cyber review board would investigate a series of high-profile breaches attributed to the Lapsus$ group, a prolific global data extortion gang run by teenagers.
The Cyber Safety Review Board will evaluate how the hacking ring has “allegedly impacted some of the biggest companies in the world, in some cases with relatively unsophisticated techniques, and determine how we all can build resilience against innovative social engineering tactics and address the role of international partnerships in combating criminal cyber actors,” Homeland Security Secretary Alejandro Mayorkas said during a press call.
He said the “ongoing Lapsus$ hacks represent just the type of activity that merits a fulsome review and can provide forward looking recommendations to improve the nation’s cybersecurity.”
The 15-person board, established by a White House executive order last year, is tasked to evaluate major cyber incidents and make recommendations to remediate them. The board’s inaugural report, which focused on the Log4j vulnerability, was published in July and made 19 recommendations.
The DHS panel, intended to serve as a cyber version of the National Transportation Safety Board, is composed of officials from across the public and private sectors.
Lapsus$ has been linked to hacks of Uber, multi-factor authentication company Okta, technology companies Nvidia and Samsung and major video game company Ubisoft.
However, the group’s current level of activity remains unknown after U.K. law enforcement arrested seven people, ages ranging from 16 to 21, in March for alleged involvement in the cybercriminal group, including its 17-year-old mastermind.
Rob Silvers, DHS under secretary for strategy, policy and plans, who also serves as chair of the CSRB, dodged questions about if the group is active today — despite Mayorkas’ remark that cyberattacks are “ongoing” — saying he didn’t want to “get ahead” of the board’s work.
Silvers also declined to comment on the timeline of events the panel would examine but said members would move fast to engage with the private sector and the research community.
“We’re going to take the time needed to conduct a thorough review,” he said. “We want to move very quickly and we’ll publish as soon as we can.”
Heather Adkins, deputy chair of the CSRB and vice president of Security Engineering at Google said that while joint cybersecurity alerts issued by the federal government about threat actors and vulnerabilities have been helpful to industry, the comprehensive reviews conducted by the board can “go deeper and provide the kind of advice that creates new foundations for cybersecurity in the ecosystem.”
“So, not just how companies can best defend themselves today but how we really solve some of these more systemic issues in the ecosystem,” she told reporters.