16-year-old wreaks havoc on Microsoft Corp, Okta Lapsus$, Conti and Revil

Juvenile cybercrime is not uncommon, but these exploits are not like other malware attacks.

At a house in Oxford, England, a 16-year-old living with his mother has wreaked havoc on the other side of the world. Assuming he is a man, he has victims of Microsoft Corp. to Okta Inc. hacked and left a trail of chaos. Its apparent youth isn’t the only thing that sets this operator apart from more famous ransomware gangs like Conti and Revil. His outfit, dubbed Lapsus$, “is known for employing a pure extortion and destruction model without deploying ransomware payloads,” Microsoft noted in a blog post this week. The US software company uses the designation DEV-053 to track the group.

According to Bloomberg News, four researchers investigating Lapsus$ believe they have identified this boy as the brain of the group. Another member is suspected of being a teenager living in Brazil. On Thursday, the City of London police arrested seven people – between the ages of 16 and 21 – in connection with an investigation into the group. Police have not identified the hacking gang, but a person involved in the investigation said the arrests were related to the case.

While the world kept a close eye on Russian hacking of Ukraine and other targets, Lapsus$ continued its operations of its own, contributing to the global wave of cybercrime that is estimated to cost the global economy more than $1 trillion a year.

Also Read  Is Cheaper By The Dozen On Netflix (2022) - A Step by Step Guide

Many of the tactics deployed by Lapsus$ are known to security teams. Among them is social engineering, in which an attacker impersonates a person to trick a help desk worker into giving access to systems or providing sensitive information that can be used to violate a target, Microsoft noted. SIM swapping is another, where the hacker successfully replaces a victim’s phone number with their own to receive a multi-factor security code sent by text message.

But instead of quietly planning a break-in, including setting up a cryptocurrency wallet and customizing a ransom note for each victim, Lapsus$ seems to have taken a slightly more high-profile approach. One that is much riskier than more disciplined operators motivated solely by money, and may instead be spurred on by a desire for fame.

The group even advertised through a Telegram group its willingness to buy credentials from employees of victim companies, which would then be used to breach corporate security systems. The alleged purpose was to access computers, steal data and then demand payment in order to prevent the release of sensitive information to the public. That was the apparent motive for a breach of user authentication provider Okta.

Also Read  How To Disassemble Ps4 Controller? (2022) - Best Methods

Call it hubris, or the rashness of youth, but it didn’t stop there. He, or she, went so far as to participate in victim discussion forums and crisis communication calls — on platforms such as Slack and Microsoft Teams — to eavesdrop on the response, Microsoft noted.

In contrast, Conti and Revil tend to sneak into a target’s servers, encrypt thousands of files and leave a custom note explaining how to make the payment. That’s the approach of Darkside, which last April bought the Colonial Pipeline Co. halted in the US.

Still, we should not conclude that the youth fully explains Lapsus$’s bold approach. Some of the world’s most notorious hackers were even teenagers when they took their first big steps into the cyber underworld. Kevin Mitnick was 16 when he broke into Digital Equipment Corp.’s systems in 1979. Jonathan James was 15 when he started, counting the US Department of Justice among his victims. Canadian Michael Calce’s goals included Yahoo, eBay and Dell websites when he was 17.

That adolescence is a challenge for law enforcement officers and prosecutors. Many jurisdictions will not charge offenders as adults. James, for example, eventually pleaded guilty to two counts of juvenile delinquency and was sentenced to house arrest and probation. Of the nearly 20 charges filed against him, Mitnick entered a plea deal and only took seven years and served five years. Calce was given eight months in a juvenile detention center.

Also Read  How To Cancel Fashion Nova Order (2022) - Best Methods

While jail time is an obvious risk, there are also benefits to young hackers. Mitnick eventually wrote a book, inspired the Hollywood movie “War Games,” and went on to have a prolific career as a security consultant. Calce also moved like a white hat on the side of the good guys. But not all juvenile delinquents had a happy ending. James took his own life at age 24 after being charged with a hack he didn’t commit, while another, Adrian Lamo, died in what is believed to be an accidental drug overdose.

Security professionals know that kid hackers are smart, skilled, and extremely dangerous. Police and courts also remember that they are just children.

Tim Culpan is a technology columnist for Bloomberg Opinion. Based in Taipei, he writes about Asian and global companies and trends. He previously covered the beat on Bloomberg News.

Arun Agarwal
I am Arun Agarwal, a passionate blogger and gamer. I love to share my thoughts on games and technology through blog posts. I’m also an avid reader of books about history, philosophy, science-fiction, and other genres as well as an anime fan. I like reading books that give me new perspectives or help me think differently about the world around us.