A teenager living in his mother’s house in Oxford is suspected of having masterminded many of the attacks by the prolific new group Lapsus$, multiple sources involved in investigations have told Bloomberg. UK police would not confirm late Thursday if he was one of several teenagers arrested in the UK this week. City of London Police said: “Seven people between the ages of 16 and 21 have been arrested in connection with an investigation into a hacking group. They have all been released under investigation. Our inquiries remain ongoing.”
The revelation comes as some security researchers had been widely publicly puzzled by the poor operational security of the group. Allison Nixon, Chief Research Officer at Unit 221B noted this week: “[The] Okta breach and many others could have been prevented if it wasn’t so hard for Western governments to stop ongoing behavior of underaged hackers who have been fully ID’ed for a really long time and for severe reasons prior to this.”
Lapsus$ arrests: Group was noisy, had poor opsec
Microsoft added in a blog this week that the group had appeared to heavily rely on phone-based social engineering, alongside “SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and MFA approval; and intruding in the ongoing crisis-communication calls of their targets.”
British teenage hackers have a history…
If confirmed, the 16-year-old will join a long line of teenage hackers from the UK who have caused an international outcry for their activities. They include David Price, a British teenager — who got a D grade in his High School computer science exams — who hacked US defence and missile systems. He was accused in the US Senate of “causing more harm than the KGB” and ultimately fined £1,200 for his activities. Many have later gone on to work in “legitimate” security research or cybersecurity roles, including for the government.
Former teenage hacker turned security researcher Marcus Hutchins noted on Twitter: “The identities of the LAPSUS$ hackers have been known for a while.
“It is near impossible to prosecute minors in certain countries, and they know this. They’ll continue causing problems until they turn 18 or cross a line. It’s a recurring problem in cybersecurity. Teenagers are known for causing problems on purpose, but offline their impact is limited. When it comes to the internet, sufficiently advanced teenagers can and have on multiple occasions crippled multinational companies”, he added.
The group had hit security/authentication firm Okta this week, gaining access to the data of up to 366 customers after accessing the laptop of a contractor at the company Sitel via exposed RDP.
(Okta CSO David Bradbury has posted an updated blog here in which he notes “I am greatly disappointed by the long period of time that transpired between our notification to Sitel [of a potential incident] and the issuance of the complete investigation report. Upon reflection, once we received the Sitel summary report we should have moved more swiftly to understand its implications.”)
One security researcher emphasised this week that Lapsus$ techniques for circumventing MFA were increasingly widespread, noting: “The premise of MFA is that an attacker can’t get in with just your password. Increasing difficulty is always good. [But]… It’s been well known that tools like @mrgretzky’s Evilginx allow an attacker clone the target site & steal a browser session. This works perfectly against every MFA except the “unphishable” ones like FIDO/Webauthn. Well, there is another way. LAPSUS$ is maybe the first to make it publicly known. If you have a user/pass, you can just generate the MFA prompt (via push, call, etc) and hope the target accepts it.
“Keep bombing them until they do! This is the most loud way of doing it, but it works! If you tested this at most companies, you’d probably see ~25% success rate. Great odds when all you need is 1!
“Reporting rates are likely very low too. The trendy PhishSim platforms HELP make this a blind spot. But bombing the target is loud. You can send 1-2 per day and still find similar success. Even better: interface with the target (phone call, phishing page, etc) & tell them they will receive a push/call/etc that needs to be confirmed. Use your imagination. Once this happens, if I need to stick around for longer (or go deeper into the system), I’ll look for a way to add an extra MFA, get backup codes, etc. these are things that a good defense will also notice.
“For those with FIDO/Webauthn: good work, you’re immune to the above. But your backup/recovery mechanisms aren’t! Do you have mitigations in place for that? Red Teams have been playing with variants on this for years. It’s helped companies fortunate enough to have a Red Team. But real world attackers are advancing on this faster than the collective posture of most companies has been improving. If you feel the need to explain how this “isn’t new” then you’re missing the point. This hasn’t crossed the gap into the “awareness” realm.”