The United States Cyber Safety Review Board (CSRB) released a report on Thursday presenting an extensive study on the key techniques used by the Lapsus$ hacking group to breach the major tech giants. The report also warned about the higher possibility of similar attacks, pointing out the vulnerability of the cyber security infrastructure.
Notably, Lapsus$ is identified as a loosely-organized group that constitutes teenagers, especially notorious and ill-famed citizens of the UK and Brazil. As per the report, the group leveraged simple and low-cost strategies to execute the exploit, which reveals the “weak points” in the cyber security infrastructure, hinting at possible “future attacks”.
One of the techniques used by the hackers is SIM swapping, meaning the act of acquiring control over the victimized company’s phone number by porting it to a SIM card owned by the hacker. Upon accessing the phone number, the attacker would be able to attain the confidential details of the company including source code, customer-related documents, etc. The high-profile tech companies affected by the group’s hack include Cisco, Microsoft, Vodafone, Okta, Nvidia, T-Mobile, Samsung, Uber, Ubisoft, and Globant.
The report highlighted the hackers’ “flashes of creativity”, stating:
Lapsus$ was unique for its effectiveness, speed, creativity, and boldness; it operated in a way that gifted the Board a propitious lens through which we could see systemic issues in the digital ecosystem. Lapsus$ exploited, to great and wide effect, a playbook of effective techniques, which other threat actors can also use.
The Chinese reporter Colin Wu took to his official account on X, formerly known as Twitter, to provide updates on the US government’s findings on the Lapsus$ attack, asserting that the hackers have “taken SIM swapping attacks to a new level”:
The U.S. government says the Lapsus$ hacking group has taken SIM swapping attacks to a new level, companies affected include Microsoft, Cisco, Okta, Nvidia, T-Mobile, Samsung, Uber, and more. Many well-known cryptocurrency platforms and personal accounts have also suffered from…
— Wu Blockchain (@WuBlockchain) August 12, 2023
The US regulators highlighted the necessity of embracing stronger security measures against these hacking strategies. CSRB insisted companies use passkeys instead of voice or SMS-based authentication to avoid the risks of SIM swapping.
