How fame-seeking teenagers hacked some of the world’s biggest targets


How fame-seeking teenagers hacked some of the world’s biggest targets
Getty Images

reader comments
23 with

A ragtag bunch of amateur hackers, many of them teenagers with little technical training, have been so adept at breaching large targets, including Microsoft, Okta, Nvidia, and Globant, that the federal government is studying their methods to get a better grounding in cybersecurity.

The group, known as Lapsus$, is a loosely organized group that employs hacking techniques that, while decidedly unsophisticated, have proved highly effective. What the group lacks in software exploitation, it makes up for with persistence and creativity. One example is their technique for bypassing MFA (multi-factor authentication) at well-defended organizations.

Studying the Lapsus$ hacking playbook

Rather than compromising infrastructure used to make various MFA services work, as more advanced groups do, a Lapsus$ leader last year described his approach to defeating MFA this way: “Call the employee 100 times at 1 am while he is trying to sleep, and he will more than likely accept it. Once the employee accepts the initial call, you can access the MFA enrollment portal and enroll another device.”

On Thursday, the Homeland Security Department’s Cyber Safety Review Board released a report that documented many of the most effective tactics in the Lapsus$ playbook and urged organizations to develop countermeasures to prevent them from succeeding.

Like a few other more technically advanced threat groups, Lapsus$ “showed adeptness in identifying weak points in the system—like downstream vendors or telecommunications providers—that allowed onward access to their intended victims,” the officials wrote in the 52-page report. “They also showed a special talent for social engineering, luring a target’s employees to essentially open the gates to the corporate network.”

compliant with the FIDO2 industry standard.

  • The breach of Nvidia’s corporate network and purported theft of 1 terabyte of company data. In return for Lapsus$ not leaking the entire haul, the group demanded Nvidia allow its graphics cards to mine cryptocurrencies faster and to make its GPU drivers open source.
  • The posting of proprietary data from Microsoft and single-sign-on provider Okta, which Lapsus$ said it obtained after hacking into the two companies’ systems.
  • The network breach of IT services provider Globant and the posting of as much as 70 gigabytes of data belonging to the company.
  • The reportedly multiple breaches in March 2022 of T-Mobile. The hacks reportedly used a technique known as SIM swapping—in which threat actors trick or pay phone carrier personnel to transfer a target’s phone number to a new SIM card. When the group got locked out of one account, it performed a new SIM swap on a different T-Mobile employee.
  • Hacking into Brazil’s Ministry of Health and deleting more than 50 terabytes of data stored on the ministry’s servers.
  • The mostly successful targeting of many additional organizations, including, according to security firm Flashpoint, Vodafone Portugal, Impresa, Confina, Samsung, and Localiza.

    • passkeys, based on FIDO2. Like all FIDO2 offerings, passkeys are immune to all known credential phishing attacks because the standard requires the device that provides MFA to be no further than a few feet away from the device logging in.

    Another recommendation is for the Federal Communications Commission and the Federal Trade Commission to beef up regulations concerning the porting of phone numbers from one SIM to another to curb SIM swapping.

    “Organizations must act now to protect themselves, and the Board identified tangible ways to do so, with the help of the US government and the companies that are best prepared to provide safe-by-default solutions to uplift the whole ecosystem,” the report’s authors wrote. “Many of the Board’s recommendations come within the broader theme of ‘security by design,’ reflecting the larger industry conversation, including the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Secure by Design efforts.”

    Article Tags:
    Article Categories:
    Technology

    Related Articles