Cyber Safety Review Board to focus its next report on the Lapsus$ extortion group

The Cyber Safety Review Board will focus its next report on recent attacks linked to Lapsus$, an international cybercrime group specializing in ransomware and extortion, the Department of Homeland Security announced on Friday.

The CSRB – a public-private initiative established under President Joe Biden's 2021 executive order on improving the nation's cybersecurity – said its next report and series of recommendations will "build on the lessons learned" from its first review published in July on the Log4j security flaw, according to DHS Secretary Alejandro Mayorkas. 

“The Cyber Safety Review Board has quickly established itself as an innovative and enduring institution in the cybersecurity ecosystem,” Mayorkas said in a statement, adding that the CSRB will “share actionable recommendations to help the private and public sectors strengthen their cyber resilience.”

The announcement comes after reports throughout the year linked the Lapsus$ hacking group to high-profile breaches targeting major companies like Microsoft, Uber and Okta. The FBI has launched an investigation into the group's reported efforts to infiltrate U.S.-based tech companies, and police in London arrested several teenagers reportedly associated with Lapsus$. 

The CSRB published its first report earlier this focusing on the Log4j vulnerability, featuring 19 recommendations for the public and private sectors to mitigate risks associated with the major software flaw. The board lacks the regulatory authority to make its recommendations enforceable, however. 

But the CSRB put forward ambitious goals in the wake of its first-ever report, refining its procedures and adding staff and infrastructure ahead of its second review. 

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said in a statement that the Lapsus$ group has "perpetrated damaging intrusions against multiple critical infrastructure sectors,  including healthcare, government facilities and critical manufacturing.

"The range of victims and diversity of tactics used demand that we understand how Lapsus$ actors executed their malicious cyber activities so we can mitigate risk to potential future victims," she added.

The CSRB features 15 members across the public and private sectors, including DHS Under Secretary for policy Rob Silvers, who serves as the chair of the board, as well as Heather Adkins, senior director of security engineering at Google and the board's deputy chair. Members also include National Cyber Director Chris Inglis, federal Chief Information Security Officer Chris DeRusha and Department of Defense Chief Information Officer John Sherman.