DHS board starts investigating Lapsus$ teen hacker group
A group of federal cyber advisers is putting a suspected teen hacking group under the microscope in the second investigation ever conducted by the Cyber Safety Review Board.
Driving the news: The Department of Homeland Security review board — a group of 15 federal government and private-sector cyber experts — announced Friday morning that it will study and provide recommendations to fend off the hacking techniques behind the Lapsus$ data extortion group.
- The Cyber Safety Review Board first investigated and released a report with security recommendations in July about the Log4j open-source software vulnerability that affected millions of devices last year.
- Data extortion groups break into a company's systems, steal prized information like source codes, and then demand a payment from the company to stop them from leaking the stolen information.
- Specifically, Lapsus$ targets companies through MFA fatigue, where they use stolen login credentials to log in to a network and then spam account owners with two-factor authentication requests on their phones until they accept one.
- Suspected members of the gang are believed to be based in the U.K. and have been arrested several times throughout the year.
Catch up quick: DHS created the Cyber Safety Review Board in February to study and provide insights into some of the country's most formative and widespread cyberattacks and data breaches.
Between the lines: The board does not have any regulatory powers, cannot compel companies to cooperate, and only provides recommendations and lessons learned from the incidents it studies.
- As part of the review, the board will reach out to affected companies, but it's unclear who will cooperate at this time, board chair and DHS official Rob Silvers told reporters.
What they're saying: "The ongoing Lapsus$ hacks represent just the type of activity that merits a fulsome review," said DHS Secretary Alejandro Mayorkas during a press call.
What's next: Silvers said the board is in the early days of its review, and it's still determining its timeline for completing the Lapsus$ investigation.
Sign up for Axios’ cybersecurity newsletter Codebook here.