A group of teenage hackers managed to breach some of the world’s biggest tech firms last year by exploiting systemic security weaknesses in US telecom carriers and the business supply chain, a US government review of the incidents has found, in what is a cautionary tale for America’s critical infrastructure.
The Department of Homeland Security-led review of the hacks, which was shared exclusively with CNN, determined US regulators should penalize telecom firms with lax security practices and Congress should consider funding programs to steer American youth away from cybercrime.
The investigation of the hacks – which hit companies like Microsoft and Samsung – found that, in general, it was far too easy for the cybercriminals to intercept text messages that corporate employees use to log into systems.
“It is highly concerning that a loose band of hackers, including a number of teenagers, was able to consistently break into the best-defended companies in the world,” Homeland Security Secretary Alejandro Mayorkas told CNN in an interview, adding: “We are seeing a rise in juvenile cybercrime.”
After a series of high-profile cyberattacks marked his first four months in office, President Joe Biden established the DHS-led Cyber Safety Review Board in 2021 to study the root causes of major hacking incidents and inform policy on how to prevent the next big cyberattack.
Staffed by senior US cybersecurity officials and executives at major technology firms like Google, the board does not have regulatory authority, but its recommendations could shape legislation in Congress and future directives from federal agencies.
The board’s first review, released in July 2022, concluded that it could take nearly a decade to eradicate a vulnerability in software used by thousands of corporations and government agencies worldwide.
The second review, to be released Thursday, focused on a band of young criminal hackers based in the United Kingdom and Brazil that last year launched a series of attacks on Microsoft, Uber, Samsung and identity management firm Okta, among others. The audacious hacks were often followed by extortion demands and taunts by hackers who seemed to be out for publicity as much as they were for money.
The hacking group, known as Lapsus$, alarmed US officials because they were able to embarrass major tech firms with robust security programs.
“If richly resourced cybersecurity programs were so easily breached by a loosely organized threat actor group, which included several juveniles, how can organizations expect their programs to perform against well-resourced cybercrime syndicates and nation-state actors?” the Cyber Safety Review Board’s new report states.
Hacks associated with Lapsus$ have not been reported in months, in part because multiple alleged members of the group were arrested in the UK last year. But the group’s knack for social engineering – tricking victim organizations to surrender login information by targeting tech support – is a tactic that cybersecurity experts say lives on.
“It really stood out to us how much the group had studied how these businesses operate,” Heather Adkins, a vice president of security engineering at Google and vice chair of the Cyber Safety Review Board, told CNN.
Lapsus$, and other hacking crews like them, have wreaked havoc by conducting “SIM-swapping” attacks, which essentially take over a victim’s phone number by having it transferred to another device.
“When you have SIM swapping, it’s really high impact. It can be really devastating to the victim. They can be cleaned out financially,” Robert Silvers, DHS under secretary for strategy, policy, and plans, who chairs the review board, told CNN.
The board wants telecom carriers to report SIM-swapping attacks to US regulatory agencies, and for those agencies to penalize carriers when they don’t adequately protect customers from such attacks.
Aggressively targeting corporate victims is not unique to juvenile hackers, but in taunting victims and reporters, Lapsus$ has brought new attention to the issue of wayward online youth.
Countries like the Netherlands and the UK have programs to direct young hackers away from crime, but the US is sorely lacking in this area, the board found.
Allison Nixon, a security expert who has worked with young victims of online harassment, told CNN that any new US program for juvenile cybercrime intervention should protect victims as well as perpetrators.
“We very much need a juvenile intervention program,” said Nixon, who is chief researcher officer at security firm Unit 221B, and who was consulted by the review board for their report. “We need processes where these at-risk kids can be put into these programs and directed to a more productive path in life.”
“Many of the perpetrators,” Nixon added, “started out as victims.”