CISA urges organizations to adopt passwordless security in LAPSUS$ report

CISA passwordless: Security padlock operating on the electronic circuit CPU
(Image credit: Getty Images)

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a report on the LAPSUS$ hacking group, which urges public and private organizations to adopt passwordless authentication and zero-trust architecture to curb future attacks.

Within the report, the contributing agencies acknowledged that LAPSUS$ methodology is commonplace and has historically been reliant on organizational security failures rather than novel attack vectors. 

They additionally urged for better strategies to prevent and respond to cyber attacks, as well as closer security dialog between companies and third-party providers.

Throughout 2021 and 2022, hackers identifying with the LAPSUS$ group committed a number of cyber attacks on organizations by exploiting weaknesses such as overreliance on SMS-based two-factor authentication.

CISA issued a series of immediate recommendations on the back of the findings, including for businesses to adopt passwordless authentication methods and to implement better protections against social engineering and phishing, both favored by LAPSUS$.

LAPSUS$ threat actors have demonstrated proficiency in using social engineering to obtain victims’ phone numbers and passwords. Methods included crawling through public information and fraudulent phone calls which were backed up by spear phishing.

Application developers were specifically told to implement FIDO 2-compliant authentication within consumer phones by default, which would in turn empower businesses to easily switch to passwordless authentication for all staff.

The report was written by the Cyber Safety Review Board (CSRB), which includes members from the Department of Homeland Security, CISA, Department of Defense, Federal Bureau of Investigation, and private companies such as Google and Palo Alto Networks.

Telecommunications providers were advised to put protections in place to prevent SIM swapping attacks, in which a hacker exploits the process consumers use to move their phone number to a new device to activate their own SIM under the victim’s number.

With control of a victim’s number, attackers can use SMS-based two-factor authentication to escalate their access to sensitive accounts.

“The Board examined how a loosely organized group of hackers, some of them teenagers, were consistently able to break into the most well-defended companies in the world,” said Robert Silvers, CSRB chair and DHS under-secretary for policy.

“We uncovered deficiencies in how companies ensure the security of their vendors; how cell phone carriers protect their customers from SIM swapping; and how organizations authenticate users on their systems. The Board put forward specific recommendations to address these issues and more, in line with the Board’s mandate to conduct comprehensive after-action reviews of the most significant cyber incidents.”

CISA stated mobile network operators should embrace zero-trust approaches to security and invest in methods by which compromised devices could be remotely wiped. 


Whitepaper cover with title in green: Business value of security operations

(Image credit: ServiceNow)

See what happens when your security, risk and IT teams can gain unprecedented visibility of threats


The Federal Communications Commission (FCC) and Federal Trade Commission (FTC) have also specifically asked telcos to be more transparent when it comes to SIM swapping statistics.

The fact that some of the LAPSUS$ group hackers were teenagers was repeated throughout the report and was used to emphasize the unacceptable ease with which some of the attacks were perpetrated.

It was also suggested that agencies in the US could follow the example of some international law enforcement agencies in instituting schemes to identify at-risk juveniles and support their cyber hobbies in positive manners such as through hackathons or gaming tournaments.

This was identified as a cost-effective way to reduce attacks, as well as to channel talented individuals into cyber security roles to address tech skills shortages.

To improve the entire sector the authors also encouraged private companies to share more data around cyber attacks with the government, and for government entities to expand cooperation with international law enforcement agencies on hunting cyber criminals.

“The CSRB’s latest report reinforces the need for all organizations to take urgent steps to increase their cyber resilience, including the implementation of phishing-resistant multi-factor authentication,” said Jen Easterly, director at CISA.

“I look forward to working with our federal and industry partners to act on the CSRB’s recommendations, to include continuing our secure-by-design work with technology manufacturers to ensure that necessary security features are provided to customers without additional cost.”

LAPSUS$, tracked by Microsoft as Strawberry Tempest, has been linked to a number of high-profile cyber attacks and ranked among the most active and malicious groups of 2022.

In 2022 the group hacked Nvidia and leaked the chip firm’s internal data, and followed this with a large breach of software development firm Globant that implicated a number of its high-profile clients.

The same year the group breached T-Mobile to steal source code, and committed a very public attack on Uber by convincing an employee to text their password under the pretense of being a member of the firm’s IT team.

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at or on LinkedIn.