In recent months, a hacking group thought to be responsible for high-profile breaches of Samsung, Microsoft, and other companies appears to be a group of teenagers and young adults, not a well-funded cybercrime organization.
In addition to the cyberattacks on Samsung and Microsoft, the Lapsus$ hacking group has claimed responsibility for recent data breaches at Nvidia, Ubisoft, and Okta, a provider of digital identity authentication services.
Some security researchers have accused a 16-year-old living near the University of Oxford in the United Kingdom of being the group’s mastermind. And in late March, London police arrested seven people between the ages of 16 and 21 in connection with an investigation into Lapsus$.
Many cybersecurity experts weren’t surprised that a group of teenagers pulled off the attacks.
Several large tech companies were founded by people in their teenage years or early 20s, noted Lucas Budman, the CEO of cybersecurity vendor TruU. “So, it’s not at all surprising that cyberattacks can be pulled off by such young perpetrators,” he told the Washington Examiner.
In addition, some of the attacks didn’t appear particularly sophisticated, with some breaches appearing to be cases of compromised credentials, he added. “If an organization is still using passwords, they can expect to be breached,” Budman said.
However, other experts suggested that there was some skill involved in the attacks. In some cases, the hacker group used advanced attack methods, and were able to compromise companies such as Okta, which is known for its security measures, said Joseph South, a skills author at the Infosec Institute, a cybersecurity training organization.
“I believe these teenagers must have had some sort of guidance, either hacker forums or some sort of mentorship to where they learned these skills,” he told the Washington Examiner. “It typically takes years for hackers to master these techniques, so for a teenager to pull off this attack, I suspect there might be some sort of guidance [or] mentorship taking place.”
In some cases, carrying out an attack requires a series of steps that must be successful for it to work, South added. “Typically, you would learn these sorts of things from hours, if not days, spent researching the gaps in the security of smaller targets and mastering your techniques on those targets before going after your prime target,” he said. “These teenagers could have learned this via various available books, online forums, mentors, or dark web hacker forums.”
Many resources for new hacking groups are now available, added Darren Williams, the founder and CEO of BlackFog, a ransomware prevention firm. Online tools such as ransomware-as-a-service give wannabe hackers resources to get started.
These as-a-service attack models have “opened the floodgate for any group to arm themselves with the best tools available to launch attacks,” Williams told the Washington Examiner. “This business model is quite common where the technical teams produce the software like an OEM software provider and then takes a percentage of any successful attack.”
In addition, there’s plenty of information on the dark web and various chat groups to help hackers train themselves, he added. “It doesn’t take very long to find out where to go if you are interested in becoming a cybercriminal,” he said.
Some experts suggested that members of Lapsus$ were both trying to gain notoriety and make money from the breaches. Some news reports suggested the alleged ringleader has made millions of dollars from the breaches.
“Before this hack, no one heard of Lapsus$, two weeks later, and it’s a household name on most news channels,” South said. “Once the group gains notoriety, they typically aim to start making more money, recruiting members, and hitting larger targets to make more of a name for themselves.”
While many cybersecurity experts have warned about state-sponsored hacking groups in recent years, that’s not always where the attacks are coming from, Williams added. “The reality is that many of these groups are opportunists that see it as a way to make easy money,” he said. “With the tools easily available and the general malaise within corporations that think it will never happen to them, the time is perfect for cybercriminals to take advantage of the situation.”
