The Department of Homeland Security has released a postmortem on the Lapsus$ cyberattacks and what lessons organizations can learn.

Lapsus$ scored a string of high-profile attacks in 2022, with Microsoft, Nvidia, Samsung, and Globant listed among its victims. As a result, Cyber Safety Review Board (CSRB) conducted Review Of The Attacks Associated with Lapsus$ And Related Threat Groups report, outlining steps organizations can and should take to better protect themselves in the future.

“Our ability to protect Americans from cyber vulnerabilities has never been stronger thanks to the community we are building through the Cyber Safety Review Board,” said Secretary of Homeland Security Alejandro N. Mayorkas. “As our threat environment evolves, so too must our detection and prevention capabilities. We must also evolve our ability to deploy those capabilities. The CSRB’s findings are not only timely, they are actionable and written with the guidance of real-world practitioners in the private sector.”

One of the big takeaways was that the hacking group often used very basic attack methods that could be easily thwarted with minimal effort:

The CSRB found that Lapsus$ and related threat actors used primarily simple techniques, like stealing cell phone numbers and phishing employees, to gain access to companies and their proprietary data. Among its findings, the Board saw a collective failure across organizations to account for the risks associated with using text messaging and voice calls for multi-factor authentication. It calls for organizations to immediately switch to more secure, easy-to-use, password-less solutions by design. The report also includes recommendations for cell phone carriers to better protect their customers by implementing stringent authentication methods, and for the Federal Communications Commission (FCC) and Federal Trade Commission (FTC) to mandate and standardize best practices to combat SIM swapping.

“The Board examined how a loosely organized group of hackers, some of them teenagers, were consistently able to break into the most well-defended companies in the world,” said CSRB Chair and DHS Under Secretary for Policy Robert Silvers. “We uncovered deficiencies in how companies ensure the security of their vendors; how cell phone carriers protect their customers from SIM swapping; and how organizations authenticate users on their systems. The Board put forward specific recommendations to address these issues and more, in line with the Board’s mandate to conduct comprehensive after-action reviews of the most significant cyber incidents.”

“The Cyber Safety Review Board took on this review to better understand Lapsus$’s tactics and help organizations protect themselves,” said CSRB Deputy Chair Heather Adkins. “Our findings noted the weaknesses with many current methods of authentication, and we provide timely and actionable recommendations for all organizations to put stronger defenses in place.”

“The CSRB’s latest report reinforces the need for all organizations to take urgent steps to increase their cyber resilience, including the implementation of phishing-resistant multi-factor authentication,” said Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly. “I look forward to working with our federal and industry partners to act on the CSRB’s recommendations, to include continuing our secure-by-design work with technology manufacturers to ensure that necessary security features are provided to customers without additional cost.”

The full report can be found here, and should be required reading for all cybersecurity personnel.