It’s official: a band of British teenagers managed to hack some of the biggest companies on the planet last year, and they did it all using fairly basic hacking techniques.
That news comes via recently concluded court proceedings in London, where jury members have just convicted two teens of having been members of the notorious cybercrime gang LAPSUS$.
Advertisement
If you’re at all aware of the cybercrime news cycle (no shame if you’re not), LAPSUS$ is a name you’ll likely recognize. Throughout much of last year, the gang fostered a reputation for being a bizarre, chaotic, and flashy criminal enterprise, with a penchant for going after—and successfully pwning—big targets. Not quite a ransomware gang but far from being a bunch of inefficient script kiddies, the group hacked some of the biggest companies in the world during a months-long spree that wreaked havoc throughout Silicon Valley.
BBC News now reports that Arion Kurtaj, 18, is described as having been a key member of the group. Kurtaj, who has autism, is said to have conducted or helped conduct many of the gang’s cyberattacks between late 2021 and early 2022. Kurtaj’s identity was previously leaked to the web by a rival cybercrime faction, but, due to his age, authorities haven’t publicly identified him until now. Psychiatrists deemed Kurtaj not fit to stand trial, so he did not appear in court, the BBC writes.
Advertisement
Advertisement
Another autistic teenager, who is still underage and whose identity has thus not been released, was also found guilty by the court of having been a prominent gang member, BCC reports.
The notches on the gang’s belt included Uber, Nvidia, Microsoft, Samsung, Ubisoft, Rockstar Games, and many others. It was also thought to be connected to a number of bizarre data breaches that used hacked law enforcement email accounts to request data from companies like Apple, Meta, and Snapchat.
Basic intrusion techniques outfox industry security standards
At many points, LAPSUS$ operated unconventionally—and boldly. Case in point: the teens are said to have hacked some of their biggest targets—including Rockstar Games, Uber, and Nvidia—while they were out on bail for their previous hacking crimes. In some cases, the gang didn’t even attempt to ransom the data it had stolen; instead, it would just spill the stolen corporate secrets all over the internet, operating less like a savvy criminal group and more like a band of data terrorists with something to prove.
Advertisement
More than anything, the LAPSUS$ affair seems to have highlighted just how easy it is for cybercriminals to evade most corporations’ security measures. In general, Kurtaj and his entourage seem to have slipped past the defenses of massive corporations with relative ease. A recently published report from the Department of Homeland Security’s Cyber Safety Review Board has provided additional insights on LAPSUS$’ modus operandi, further confirming the gang’s use of simplistic hacking techniques to affect big yields. The report notes:
“Lapsus$ seemed to work at various times for notoriety, financial gain, or amusement, and blended a variety of techniques, some more complex than others, with flashes of creativity… It penetrated corporate networks, stole source code, demanded payments while rarely following up, lodged political messages in shadowy online forums, and swiftly moved on to its next targets. The cyberattacks were not the work of a nation-state actor, nor did they always involve particularly complex or advanced tooling or methods. Yet the attacks were consistently effective against some of the most well-resourced and well-defended companies in the world.”
Advertisement
In short: cybersecurity providers clearly need to step up their game. If a bunch of bored high schoolers can trounce the Fortune 500 crowd’s digital defenses this easily, we are all in some serious trouble.
Services Marketplace – Listings, Bookings & Reviews