The Biden administration announced Friday the U.S. would investigate recent hacks linked to a teenage cybercriminal group that focused on extortion.
The U.S. Cyber Safety Review Board, a 15-member panel of experts from across government and private sector, will probe a series of high-profile hacks by the group, known as Lapsus$.
Homeland Security Secretary Alejandro Mayorkas said its goal is to “evaluate how this group has allegedly impacted some of the biggest companies in the world, in some cases, with relatively unsophisticated techniques, and determine how people can build resilience against innovative social engineering tactics and address international partnership in combatting criminal cyber actors.”
The board did not list which hacks it would probe, but high-profile victims of Lapsus$ include Uber, Microsoft, Okta and Samsung, according to previous releases by the companies.
Like many cybercriminal gangs, Lapsus$ is an evolving group of cyber hackers that maintains an anonymous online presence. Earlier this year, London Police arrested seven individuals – ages 16 to 21 – believed to be tied to the hacking gang. Security experts and government officials believe the group still poses a threat.
The group has routinely relied on stolen login credentials to pilfer company data – demanding high extortion checks from victims to stop any leak of stolen information.
For instance, during its breach of Uber, the company said Lapsus$ posted messages to the company’s internal slack message board, including a “graphic image.”
But the intrusions have also gone after proprietary information. According to Microsoft, the hacking group has left a few breadcrumbs. “Unlike most activity groups that stay under the radar, DEV-0537 doesn’t seem to cover its tracks,” the company wrote in a March blog post. “They go as far as announcing their attacks on social media or advertising their intent to buy credentials from employees of target organizations.”
In a briefing Friday, Mayorkas called the cyber threat facing the U.S.”as diverse and severe as its ever been” and went on to say that “nation-states like China, Russia, Iran and North Korea, as well as non-state criminal cyber gangs continue to conduct espionage, steal intellectual property and mine scores of Americans’ personal data.”
DHS’ relatively new cyber board, which draws its authority from an executive order signed by President Joe Biden last year, lacks regulatory authority and indicated its work will not be punitive — it won’t fine any companies involved.
Modeled after the National Transportation Safety Board, the panel investigates high-profile cyber intrusions and publishes security recommendations. In July, the cyber board published its inaugural investigation, determining that the Log4j bug poses a persistent vulnerability, but did not lead to any “significant” attacks on critical infrastructure.
Friday’s announcement marks a pivot for the board, which will shift investigatory efforts from a specific vulnerability to a prolific hacking group.
Led by Chair Rob Silvers, the undersecretary for policy at the Department of Homeland Security, and Vice Chair Heather Adkins, senior director of security engineering at Google, the new group promised it would “move quickly” on its next investigation and work with government partners including the Department of Justice, but did not offer a timeline.
Adkins said the group aimed to “go deeper” to “provide the kind of advice that creates new foundations for cybersecurity in the ecosystem.”