LAPSUS$ Ransom Gang Proves It Is Easier to Hack People than Computers

Much has been written about LAPSUS$, the yobbish group of hackers and extortionists who caused mayhem for such varied victims as Microsoft, Nvidia, Samsung, Ubisoft and Okta. It is easy to understand why; their Telegram channel has 50,000 subscribers and they run surveys asking who they should attack next. With so many facts and opinions already committed to digital ink, it hardly seemed necessary to add my views about LAPSUS$, even though telcos like Claro, Embratel, Vodafone and AT&T rank amongst their targets. Nevertheless, the arrest of one of the gang-leaders, a teenage boy who lives down the road from me, and exhaustive commentary about their methods prompts me to make two observations that few are willing to make, even though they should be separated from other details like wheat is separated from chaff.

British Society Is Failing Boys

When a 16 year old boy is able to amass wealth of over BTC300 (USD13mn) through criminal activities conducted exclusively via a computer in the family home then the problem will not be solved by increasing corporate security budgets or training staff to be wary of social engineering. Something has already gone badly wrong with the degree of adult supervision and the amount of time a child is allowed to spend in front of a screen. The boy’s father told the BBC:

I always thought he was playing games.

Excuse me, but using Reddit to offer USD20,000 bribes to insiders working for T-Mobile, AT&T and Verizon does not look anything like a computer game.

In an era when comms providers are tasked with protecting children from being groomed online and are expected to censor images that are not suitable for young eyes it beggars belief that a parent can believe they are acting responsibly whilst their son has the time and freedom to engage in extensive negotiations with criminals around the world. Too much focus is put on technological solutions for societal problems. 16 year old boys can find lots of ways to get into trouble, but a kid who looks like he is kicking a football in the park or eating a hamburger in a fast food restaurant is not investing time in a multi-million dollar criminal conspiracy. Better still, parents who talk to their children every day might learn what their children are doing the rest of the time.

Matters are made worse by the lenient punishment typically given to those few young cyber crooks who actually get caught. Case after case involves male hackers in their teens or early twenties. They pirate content, swap SIMs, and harass women online in the mistaken belief that crimes committed without leaving the bedroom can never have consequences in real life. In such an environment, and faced with police that lack the skills and resources to enforce cyber laws, it is not surprising that their activities can escalate to the point where they are stealing millions or lives are put at risk through despicable tactics like swatting. By then it is questionable if the child can ever be fully reformed, but judges hand out punishments so laughably weak that it is no wonder that immature boys keep finding plenty of mentors to tutor them in how to conduct cybercrime.

It is hard to see how locking up some of these cyber gangsters could make them any worse a threat to society, as the criminal computing skills they learned through the internet are more dangerous than anything they will learn from the average prisoner. However, if judges are unable or unwilling to give custodial sentences then we need to ask why no more burden is being placed on the guardians who permit their children to become so dysfunctional. Confiscating the houses of a few parents for reparations and sending their wayward kids to live in a computer-free remand school would soon send a message that other parents would notice, even if they currently pretend they cannot tell the difference between a computer game and an endless stream of crime routed through their home wi-fi.

There Are Crooks in Your Organization

I do not care what your corporate HR policy says, or how much you want to see the good in everyone you meet; if you work in a company that employs more than 10 people, then chances are that one of your colleagues is a crook. You might not have caught them, you might not be trying to catch them, but they will still embrace crime if given the opportunity. That means they will break the law if they believe it will profit them to do so, and if they also believe they will not be caught. The latter point is crucial. If you make no effort to catch crooks within your business, then they have no reason to believe they will ever be caught. It boggles the mind to see some businesses implement more controls surrounding access to the biscuits in the employee kitchen than surrounding the data on corporate servers. I suppose the difference is that people can see if the biscuits have been taken whilst nobody notices the abuse of data unless specific monitoring has been put in place.

Microsoft’s blog post about LAPSUS$, who they drily refer to as DEV-0537, emphasizes the extent to which this group relied on low-tech methods to achieve their goals. The choice of victims and use of the Portuguese language for public communications suggests LAPSUS$ originated in Brazil, and that the British teenager was recruited in order to have a native English speaker for social engineering of relevant targets. Microsoft noted a SIM swap was used to take control of somebody’s phone as part of a strategy for gaining access to the corporate network of that individual’s employer. Once LAPSUS$ gained access to a network, they would look for unpatched vulnerabilities on servers and they searched code repositories and collaboration platforms for unprotected user credentials. None of these techniques are technologically sophisticated, though they did cause lots of harm.

The methods used by LAPSUS$ share a lot of similarities with methods typically used by young criminals who try to steal from the cryptocurrency wallets of well-known crypto investors. They begin by identifying a potentially lucrative target. Then they use a SIM swap to gain control of the target’s phone. Control of the phone is a launching point to take over various other accounts in the hope their victim blundered by saving passwords to a cloud-based document or another poorly-guarded resource. But as simple as these techniques are, nothing is simpler than offering a straightforward bribe. Referring to LAPSUS$ as ‘hackers’ exaggerates the extent to which they pursued their goals by finding flaws with technology. It was easier for LAPSUS$ to use the wealth they had already amassed to pay insiders to provide them with the information and access they sought.

Microsoft reflected on the implications of the LAPSUS$ method for any security program.

The social engineering and identity-centric tactics leveraged by DEV-0537 require detection and response processes that are similar to insider risk programs – but also involve short response timeframes needed to deal with malicious external threats.

This puts it too mildly, just as British society has been too mild in conceptualizing the threat posed by wayward children and irresponsible parents. ‘Short response timeframes’ matter, but what also matters is firing bad employees. Get used to the idea of a lot more staff members being escorted out of the building by security, with some of them wearing handcuffs. Chances are that few organizations will be able to detect crooked activities quickly enough if they are not already in the habit of detecting and firing the crooks already in their midst. Deterrence will then serve a useful purpose. Though it is impossible to measure the benefits added by deterrence, you might as well seek to maximize those benefits because preventing a crime is better than detecting a crime, and a good way to prevent crime is to so discourage the would-be criminal that they refuse to consider any bribes offered to them. Bear in mind that you have no reason to believe LAPSUS$ is a one-off or the peak of an unwelcome trend that may die away. For all we know, internet-enabled bribery of corporate insiders with access to secure systems will grow continually worse as more young men come to believe they have chanced upon a quick and easy route to riches.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.