Two UK Teenagers Convicted for LAPSUS$ Hacking Activities Targeting Major Tech Firms
A jury in London has convicted two teenagers for their roles in the notorious LAPSUS$ hacking group, also known as Slippy Spider. This gang has been linked to a series of high-profile cyberattacks against leading technology companies, employing tactics that include demanding ransom payments in exchange for not disclosing stolen data.
The individuals included Arion Kurtaj, an 18-year-old resident of Oxford, and an unnamed minor, who began collaborating in July 2021 after meeting online. Initial arrests of both suspects occurred in January 2022; however, they were released pending investigation. They were later re-arrested in April 2022 by the City of London Police. Following his release on bail, Kurtaj relocated to a hotel due to concerns for his safety after being doxxed in an online forum but continued illicit activities, targeting companies such as Uber, Revolut, and Rockstar Games, which ultimately led to his arrest in September 2022.
Central to their attack strategy was a combination of SIM swapping and prompt bombing techniques, which enabled unauthorized access to corporate networks after extensive social engineering efforts. This financially motivated operation actively sought rogue insiders to provide credentials related to Virtual Private Networks (VPNs), Virtual Desktop Infrastructure (VDI), and Citrix applications via their Telegram channel.
A recent report from the U.S. government highlighted that the LAPSUS$ group was offering as much as $20,000 weekly to insiders within telecommunications firms, outlining their unique approach characterized by "effectiveness, speed, creativity, and boldness." The report detailed that the group executed fraudulent SIM swaps by obtaining sensitive information such as names, phone numbers, and proprietary network data, often through deceitful methods including fake emergency data requests and account hijacking of telecommunications employees.
The LAPSUS$ group used telecommunications management tools for executing SIM swaps, which allowed them to take control of online accounts by exploiting sign-in processes that used one-time links or multi-factor authentication passcodes sent via SMS or voice calls. Their initial access methods varied widely, encompassing the use of initial access brokers (IABs), exploiting vulnerabilities in systems, and taking steps to escalate privileges within compromised networks.
A range of prominent companies fell victim to their attacks, including BT, EE, LG, Microsoft, NVIDIA, Okta, Samsung, Ubisoft, and Vodafone. As of now, it remains uncertain whether any ransoms were paid in these breaches. The outcomes of the trials are forthcoming, with sentences still pending for the convicted individuals.
The Cyber Safety Review Board (CSRB) emphasized the group’s notoriety, highlighting their ability to compromise well-protected organizations through effective social engineering, teetering on the edges of operational transparency by utilizing public platforms to broadcast their exploits. Their tactics aligned with several techniques outlined in the MITRE ATT&CK framework, particularly in tactics such as initial access, persistence, privilege escalation, and lateral movement, underscoring the need for vigilance and improved cybersecurity measures among businesses in the tech sector.
Given the sophistication and creativity exhibited by the LAPSUS$ group, the case serves as a stark reminder of the evolving threats businesses face in the realm of cybersecurity.
