The amateur hacker group Lapsus$—mostly teenagers with limited technical training—has skillfully breached major targets like Microsoft, Okta, Nvidia, and Globant. The government is studying their methods to enhance cybersecurity.
The Lapsus$ team
The group uses simple but effective hacking techniques. They might lack advanced skills, but their persistence and creativity make up for it. For instance, they found a way to bypass strong security measures like MFA in well-protected organizations.
Instead of hacking into the MFA infrastructure like more advanced teams, a Lapsus$ leader used a different tactic. He said, “Call the employee multiple times at 1 a.m. when they’re sleeping. They’ll probably answer. Then, you can access the MFA portal and add another device.”
Recently, the Department of Homeland Security’s Cybersecurity Review Board issued a report. It shared effective Lapsus$ tactics and advised organizations to create defenses against them.
The Lapsus$ team, even though they’ve been around for only a little over a year and are mostly motivated by fame, has managed to breach a surprisingly long list of targets.
They successfully conducted a phishing attack on MFA provider Twilio, hacked into Nvidia’s corporate network to steal a huge amount of data, sent out confidential data from Microsoft and Okta, breached Globant IT’s network, and executed multiple attacks on T-Mobile using SIM swapping.
In addition, the Brazilian Ministry of Health was breached, leading to the deletion of more than 50 terabytes of data. Various other organizations were also targeted, including Vodafone Portugal, Impresa, Confina, Samsung, and Localiza.
The group employed straightforward methods, such as purchasing authentication cookies and credentials through initial access brokers.
The report has suggestions. One main idea is to switch to passwordless systems, called passkeys, using FIDO2. Passkeys are secure against credential phishing because they need devices to be nearby.
Another tip is for the Federal Communications Commission and Federal Trade Commission to make rules stronger for transferring phone numbers between SIM cards to prevent SIM swapping.
- Organizations need to take immediate action to safeguard themselves, as outlined by the Council’s suggestions in collaboration with the US government and expert companies.
- The authors of the report emphasized that many of the Council’s recommendations align with the “security by design” approach, in line with broader industry discussions, including efforts by CISA for “Secure by Design.”