International cyber hackers are not only getting smarter, but also younger. On Sept. 23, 2022, London Police arrested seven teenagers for hacking into popular ride-sharing company Uber. The teens were affiliated with Lapsus$, an up-and-coming international ransomware group that gained an infamous reputation for breaching big tech companies such as Microsoft, Nvidia, Okta, Samsung, and Ubisoft.
The conversation around cybercrime and children often circulates in the context of protecting minors from online threats. But according to the UK’s National Crime Agency (NCA), between the years of 2019 to 2020, there was a 107% increase in police reports of students as young as nine years old acting as hackers and deploying Distributed Denial of Service (DDoS) attacks. A DDoS attack involves a hacker compromising a system by flooding the server with multiple requests, thereby causing traffic to the site and preventing users from accessing it. Young people are not the exception to hack attacks but instead products of an unsafe cyber community. This lack of accountability for young hackers led to the breach of millions of users’ data for Uber.
Specifically for the Uber attack, the teen hackers employed a common tactic known as “social engineering,” where they gained unauthorized access to a contractor’s login credentials via the Dark Web and spammed them with multiple two-factor authentication requests until the contractor accepted. Over 400 businesses are targeted by spear-phishing scams daily, so what makes this attack different?
According to the hackers, the motivation behind the attack was to both expose Uber’s weak security system and demand higher wages for Uber drivers. While it is commonly assumed that hackers only seek to extort large sums of money or gain political power, this group primarily sought public attention to promote its cause.
Additionally, the juvenile nature of Lapsus$ sets it apart from other hacking groups. Lapsus$ is not just the work of one hacker but a network of people working cross-country in the UK and Brazil. The exact number of members and locations are unknown. However, the sufficient trail of digital footprints revealed the juvenile nature of the group. Allison Nixon, chief research officer at the cybersecurity firm Unit 221B, says they are just children who grew up in an environment groomed for cybercrime. Like children, this teenage hacking group seems more motivated by clout rather than profits. Their juvenile tactics to jeer at security professionals are rather unorthodox in the adult hacking space.
Lastly, unlike state actors, Lapsus$ is a difficult group to predict the next steps or actions the group could take. While there is a possibility that the group’s future targets may be inspired by a traditional ideological or hacktivist incentive, such as one biased by personal motives, there is also a possibility that the group may choose to engage in criminal activity.
Several weeks have passed since the attack occurred, yet Uber has released virtually no information on how it plans to reorganize its employee training framework. On the other hand, Lapsus$ continues to hack companies such as Rockstar Games while avoiding accountability. Without adequate measures that prioritize cybersecurity awareness, the number of data breaches will only exacerbate gaps in international security and defense.
To help address the lack of security training guidance in the workforce, the SysAdmin, Audit, Network and Security (SANS) Institute published its 2022 Security Awareness Report, which calls for employing a 10-to-1 ratio of technical security professionals to human-focused security professionals. For every ten employees skilled in the technical side of cybersecurity networks, companies should consider hiring one professional skilled in the humanitarian side of cybersecurity, meaning they can empathize with how their non-technical clients interact with their products and services. The International Cyber Expo held in the UK also detailed the importance of including training on emerging technologies such as artificial intelligence and blockchain, both of which play a vital role in securing threat intelligence.
Another step towards mitigating cyber attacks is to start from the source. As October marks Cybersecurity Awareness Month in Australia and the United States, companies like Palo Alto Networks have taken the initiative to launch Cyberfit Nation, a free online educational program targeting all age ranges. Its submodule, Cyber Safe Kids, is a virtual session that not only provides children with technical safety skills but also educates them on what it means to be a good digital citizen.
It’s important to maintain security training for employees, but it’s even more important to expand cybersecurity education in public schools. With proper training on how to utilize technical skills for good, teenagers and young adults can weigh the cost of abiding by the law against committing an international crime. As we have seen with the Uber example, what surprised many of the employees and the public was that teenagers had outsmarted IT professionals. By expanding cyber education to promote ethical security practices among students, states can ultimately prevent the number of hacking incidents from increasing.