The Biden administration announced on Friday that it would investigate recent hacks linked to Lapsus$, an extortion-focused hacking collective that has victimized some of the world’s largest technology companies and broken into critical infrastructure systems over the last year.
The U.S. Cyber Safety Review Board, a panel of experts from various government agencies and the private sector, will investigate the group’s recent high-profile hacks, which researchers say have included extortion demands at times but also appear to be motivated by a desire for notoriety at other times.
According to the companies, high-profile victims include Uber Technologies Inc., chip maker Nvidia Corp., Microsoft Corp., online access-management vendor Okta Inc., Samsung Electronics Co., and others.
“Lapus$ has targeted some of the world’s most sophisticated companies,” said Robert Silvers, chair of the board and undersecretary for policy at the Department of Homeland Security, which oversees the board’s activities. “We will advise on how to repel and respond to these types of cyber-enabled extortion attacks as a collaborative effort between government and industry.”
Lapsus$ is an amorphous team that hides behind anonymous online aliases, but members of the group have left enough digital breadcrumbs for law enforcement and private researchers to identify some of them. According to security researchers and law enforcement officials, the group likely includes members from Brazil and the United Kingdom, with several of them being teenagers. Although some members have been apprehended, security experts believe the group continues to pose a threat.
Lapsus$ has developed a set of techniques that, while not technically sophisticated, have proven to be devastatingly effective at breaking into the networks of global tech firms that spend millions on cybersecurity each year. To breach a variety of networks, the group has frequently relied on circumventing widely used security tools used across industries, exposing major, overlooked security gaps in interwoven software ecosystems.
Some of its high-profile hacks have proven to be more of a nuisance than a crippling breach. In the case of Uber, the company stated that Lapsus$ gained access to its internal systems and sent messages to employees, including a graphic image.
However, the intrusions have been disturbing at times. According to statements released in March by Samsung, Nvidia, and Microsoft, the group stole source code or proprietary information from them.
The board, which has no regulatory authority and no authority to levy fines, was established earlier this year by the Biden administration to review significant national cybersecurity events affecting government, business, and critical infrastructure.
The cyber board, which is loosely modeled after the National Transportation Safety Board, which investigates plane crashes and train derailments, publishes reports on its findings and makes security recommendations. It issued its first report on the Log4J bug in July, concluding that a major flaw in the widely used logging software was a “endemic vulnerability” that could persist as an avenue for hackers to infiltrate computer networks for more than a decade.
Mr. Silvers stated in a media briefing that the board wanted to complete its review of the Lapsus$ criminal group as soon as possible, but he did not provide a timetable for when the report would be completed.
“Lapsus$ actors have targeted multiple critical infrastructure sectors, including healthcare, government facilities, and critical manufacturing,” said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency. “Because of the variety of victims and tactics used, we need to understand how Lapsus$ actors carried out their malicious cyber activities so that we can mitigate risk to potential future victims.”