Cyber Safety Review Board to probe Lapsus$ ransomware spree
The Cyber Safety Review Board is set to examine the Lapsus$ ransomware gang, the U.S. Department of Homeland Security announced Friday. A prolific group, Lapsus$ has targeted a wide range of global companies and government agencies, sometimes with ruthless digital extortion, since late 2021.
The 15-member board, chaired by DHS Under Secretary for Policy Robert Silvers, reviewed the ransomware group’s activities over the past year and sent recommendations to President Joe Biden via Homeland Security Secretary Alejandro Mayorkas and Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency.
Lapsus$ has heavily targeted critical infrastructure providers following an initial attack on the Brazil Ministry of Health last year. The group has been linked to a series of high-profile attacks against major companies ranging from T-Mobile to Nvidia and ride-hailing giant Uber.
“The CSRB will review how this group has allegedly impacted some of the biggest companies in the world, in some cases with relatively unsophisticated techniques, and determine how we all can build resilience against innovative social engineering tactics and address the role of international partnerships in combating criminal cyber actors,” Mayorkas said Friday during a conference call with reporters. “As cyberthreats continue to evolve, we have to evolve the methods we use to protect ourselves against cybercriminal activity and increase our resilience against future attacks.”
In its first review, the CSRB found Log4j to be an “endemic vulnerability,” with ramifications that could extend years into the future.
The report said attacks stemming from Log4j were at lower levels than initially feared, but highlighted the inherent risks from the widespread open source computing due to a lack of financial and labor resources.
CSRB Deputy Chair Heather Adkins, VP of security engineering at Google, noted that many of the reported targets of Lapsus$ were considered to have very strong cybersecurity programs. These organizations had followed recommended security controls, and in some cases even advanced controls, but still felt a significant impact from the attacks.
Several alleged members of the extortion gang have been arrested, but researchers suspect other affiliates of Lapsus$ remain unaccounted for.