US should crack down on SIM swapping following Lapsus$ attacks: DHS review

A string of high-profile cyberattacks carried out by teenage hackers in 2021 and 2022 highlights systemic weaknesses in the telecommunications industry and security practices used by a wide range of businesses, a Department of Homeland Security review found.

In a 59-page report released Thursday, the department’s Cyber Safety Review Board called on the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) to strengthen their oversight and enforcement activities focused on SIM swapping, and ask telecommunications providers to report these attacks to the regulators.

The board also recommended that organizations transition away from widely-used SMS and voice-based multifactor authentication, and instead “adopt easy-to-use, secure-by-default-passwordless solutions.”

The report, commissioned by Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, focuses on a group of young hackers known as Lapsus$ that carried out a series of attacks on major technology companies, including Uber, Okta, Samsung and others. The attacks drew attention not only because of the victims involved, but because of their audacity — the hackers would often gain access to a company’s systems and sensitive data, and then post screenshots and emojis in companywide internal chat messages.

“Lapsus$ was unique for its effectiveness, speed, creativity, and boldness,” Robert Silvers and Heather Adkins, the board’s chair and deputy chair respectively, said.

In 2022, the group gained even more notoriety when authorities said it was largely composed of teenagers. That March, British police arrested seven people between the ages of 16 and 21 allegedly involved with the group, and another person was arrested in Brazil in October.

The DHS review said the attacks showed how SMS-based multifactor authentication — a practice widely used by organizations to add an extra layer of security when employees and customers log into accounts — can be undermined by cybercriminals due to lax security practices at telecom firms. Lapsus$ was able to obtain basic information about its victims, such as their name and phone number, and used them to perform fraudulent SIM swaps and intercept text messages that allowed them to sign into accounts or perform account recoveries.

“If richly resourced cybersecurity programs were so easily breached by a loosely organized threat actor group, which included several juveniles, how can organizations expect their programs to perform against well-resourced cybercrime syndicates and nation-state actors?” the board said, adding that organizations that used application or token-based MFA methods were “especially resilient” to the attacks.

As part of its recommendations, the review board called on the federal government to develop a roadmap consisting of “standards, frameworks, guidance, tools, and technology” that can help organizations implement passwordless authentication instead of SMS-based multifactor authentication.

President Joe Biden established the Cyber Safety Review Board in May 2021 to study major hacking incidents and help inform new cybersecurity policy. Although it doesn’t have regulatory authority, it’s staffed by senior government officials and technology executives, and can make recommendations that shape how federal agencies, Congress and private companies handle cybersecurity issues.

DHS officials have recently pushed for legislation that would grant the board additional power and funding.

The Lapsus$ review is the board’s second report — its first was released in July 2022 and warned that the vulnerability in the Log4j Java library will take years to remediate.

"Our ability to protect Americans from cyber vulnerabilities has never been stronger thanks to the community we are building through the cyber safety review board," DHS Secretary Alejandro Mayorkas said in a statement Thursday.

"As our threat environment evolves, so too must our detection and prevention capabilities. We must also evolve our ability to deploy those capabilities. The CSRB's findings are not only timely, they are actionable and written with the guidance of real-world practitioners in the private sector."