According to Bloomberg News, four researchers investigating Lapsus$ believe they have identified this child as the mastermind of the group. Another member is believed to be a teenager living in Brazil. At the time of writing, researchers have not been able to conclusively link the teenager in England to each of the attacks claimed by Lapsus$, and there have been no public charges by the forces. of wrongdoing, the report notes.
As the world watched for the Russian hack of Ukraine and other targets, Lapsus$ continued its own operations, adding to the global wave of cybercrime that is believed to cost the global economy more than $1 trillion a year.
Many of the tactics Lapsus$ deploys are familiar to security response teams. Among them is social engineering, where an attacker impersonates a person in order to trick a help desk employee into providing access to systems or providing sensitive information that can be used to breach a target, noted Microsoft. SIM swapping is another, in which the hacker manages to replace a victim’s phone number with his own in order to receive a multi-factor security code sent via text message.
But rather than quietly planning an intrusion, including setting up a cryptocurrency wallet and customizing a ransom note for each victim, Lapsus$ seems to have taken a slightly more high-profile approach. One that is far more risky than more disciplined traders driven solely by money, and can instead be driven by a desire for notoriety.
The group even announced through a Telegram group its intention to buy credentials from employees of victimized companies, which would then be used to breach the company’s security systems. The purported goal was to gain access to computers, steal data, and then demand payment to prevent the disclosure of sensitive information to the public. This was the apparent motive for a breach of user authentication provider Okta.
Call it overconfidence, or the brashness of youth, but the actions didn’t stop there. He, or they, went so far as to join victim chat rooms and crisis communication calls — on platforms like Slack and Microsoft Teams — to listen to the response, Microsoft noted.
In contrast, Conti and Revil tend to sneak into a target’s servers, encrypt thousands of files, and leave a personalized note describing how payment can be made. That’s the approach taken by Darkside, which shut down Colonial Pipeline Co. in the United States last April.
Still, it shouldn’t be concluded that the youth fully explains Lapsus$’s audacious approach. In fact, some of the world’s most notorious hackers were teenagers when they first took their first steps into the cyber world. Kevin Mitnick was 16 when he broke into the systems of Digital Equipment Corp. in 1979. Jonathan James was 15 when he started and counted the US Department of Justice among his victims. Canadian Michael Calce’s targets included the websites of Yahoo, eBay and Dell when he was 17.
That adolescence is a challenge for law enforcement and prosecutors. Many jurisdictions do not charge perpetrators as adults. James, for example, ended up pleading guilty to two counts of juvenile delinquency and was sentenced to house arrest and probation. Of the nearly 20 charges against him, Mitnick entered into a plea bargain and took the rap on just seven and served five years. Calce received eight months in a youth detention center.
While jail is an obvious risk, there are also perceived benefits for young pirates. Mitnick ended up writing a book, inspired the Hollywood movie “War Games” and went on to a prolific career as a security consultant. Calce has also gone over to the good guys as a white hat. But not all juvenile delinquents had a happy ending. James took his own life aged 24 after being accused of a hack he did not commit, while another, Adrian Lamo, died in what is believed to be an overdose drug accident.
Security professionals know that child hackers are smart, skilled, and extremely dangerous. The police and the courts also remember that they are still only children.
More from Bloomberg Opinion:
• What the Modi Twitter breach tells us about hackers: Tim Culpan
• The mercenary threat of hackers for hire: Bobby Ghosh
• Hacktivists Puncture Russian Propaganda Bubble: Parmy Olson
This column does not necessarily reflect the opinion of the Editorial Board or of Bloomberg LP and its owners.
Tim Culpan is a technology columnist for Bloomberg Opinion. Based in Taipei, he writes about Asian and global businesses and trends. He previously covered the Bloomberg News beat.