Source: securityboulevard.com – Author: Richi Jennings
Arion Kurtaj and anon minor: Part of group that hacked Uber, Nvidia, Microsoft, Rockstar Games and many more.
Two teenage hackers have had their day in a UK court. The jury decided they committed their crimes using a combo of social engineering, insider bribery and SIM swapping—holding huge companies to crypto-ransom.
Frankly, it all sounded a bit too easy. In today’s SB Blogwatch, we put the kettle on.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: ももいろの鍵.
‘teapotuberhacker’ is not Guilty but not ‘Not Guilty’
What’s the craic? Aunty’s Joe Tidy reports—“Court finds teenagers carried out hacking”:
“Offensive messages”
A court has found an 18-year-old … was a part of an international cyber-crime gang responsible for a hacking spree against major tech firms. Arion Kurtaj was a key member of the Lapsus$ group which hacked the likes of Uber, Nvidia … Microsoft … telecoms company BT … and digital banking group Revolut. [Also a] 17-year-old [was] convicted for his involvement in the activities of the Lapsus$ gang but cannot be named because of his age.
…
The audacious attacks by Lapsus$ in 2021 and 2022 shocked the cyber security world. … The group from the UK, and allegedly Brazil, was described in court as “digital bandits.” … Once inside a company’s computer network, the hackers often left offensive messages on Slack and Microsoft Teams as they attempted to blackmail staff.
Not just internal messages, it seems. As Alexander Martin recalls—“British court convicts two teen Lapsus$ members”:
“Links to Brazil”
At the time of the Revolut incident, some users … reported seeing messages with inappropriate language on the app’s support chat. Revolut replied that it was aware of those messages and “taking steps to ensure this does not happen again.” … The hacking incidents were linked to the teens by investigators who found their IP addresses through a number of email and Telegram accounts which the pair allegedly used to boast about their antics.
…
The Lapsus$ gang gained notoriety for its erratic behavior, its public boasts of successful attacks and because several of its members appeared to be teenagers. It had purported links to Brazil, where Federal Police last year announced the arrest of another alleged member.
Anything else? It’s Ionut Ilascu—“Teen hackers convicted of high-profile cyberattacks”:
“Mostly teenagers”
Believed to be one of the leaders of the group, [Kurtaj] was arrested twice in 2022, first in January and then again in March, in connection with Lapsus$ hacking activity. … Using the handle ‘teapotuberhacker’ and while on bail … Kurtaj leaked gameplay videos from the unreleased Grand Theft Auto 6, obtained after breaching [Rockstar Games’] Slack server and Confluence wiki.
…
High-profile organizations impacted by Lapsus$ also include … Cisco, Okta … T-Mobile, Samsung, Vodafone, Ubisoft, 2K … Globant [and] mobile operator EE. … Despite being a loosely organized group of mostly teenagers, Lapsus$ managed to breach organizations with a strong sense of security.
So he’s been found “guilty”? Not exactly, as Jessica Lyons Hardcastle notes—“Pair were on a total tear”:
“Computer intrusion”
This was an unusual case—in that the jury was told not to find Kurtaj … guilty or not guilty as psychiatrists had earlier assessed that he was unfit to stand trial. Instead, the panel was asked to decided whether or not he did the things he was accused of.
…
After a two-month process, jurors determined Kurtaj committed 12 offenses, including computer intrusion, blackmail, and fraud. … The 17-year-old was convicted of fraud, blackmail, and carrying out an unauthorized act to impair the operation of a computer.
Next step is sentencing. Which makes rknop wonder:
Which gets worse punishment: Committing actual grand theft auto, or hacking Grand Theft Auto? I’m sure that the lawyers will make a powerful argument that the economic harm is orders of magnitude larger in the latter case.
Do the victims share any blame? Yet Another Hierachial Anonynmous Coward [sic] thinks so:
If a couple of 16-year-olds can access … multinational tech companies, and help themselves to secure data, then surely someone else should be in the dock? Exactly who is in charge of security?
Teenagers, you say? Steven Murdoch wants them off his lawn:
A helpful reminder that when a company announces it has been compromised by a “highly sophisticated attacker,” it could be a government unit of PhD-level intelligence experts, but sometimes it is a teenager in a hotel with a Fire TV stick. … I’m sure some class-action lawyers are paying close attention.
Meanwhile, u/bernpfenn probably means GCHQ, rather than NSA—but still:
They are toast and probably will get to choose between long jail times and a job at the NSA.
And Finally:
Iyowa wishes to apologize for his weak stomach
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Hector Falcon (via Unsplash; leveled and cropped)
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2023/08/lapsus-arion-kurtaj-richixbw/
Category & Tags: Analytics & Intelligence,API Security,Application Security,Blockchain,Cloud Security,Cyberlaw,Cybersecurity,Data Security,Deep Fake and Other Social Engineering Tactics,DevSecOps,Digital Currency,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Insider Threats,Malware,Most Read This Week,Network Security,News,Popular Post,Ransomware,Regulatory Compliance,Securing the Cloud,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Security Operations,Social Engineering,Software Supply Chain Security,Spotlight,Threat Intelligence,Threats & Breaches,Vulnerabilities,Zero-Trust,Arion Kurtaj,Grand Theft Auto,Lapsus$,Rockstar Games,SB Blogwatch,Strawberry Tempest – Analytics & Intelligence,API Security,Application Security,Blockchain,Cloud Security,Cyberlaw,Cybersecurity,Data Security,Deep Fake and Other Social Engineering Tactics,DevSecOps,Digital Currency,Editorial Calendar,Endpoint,Featured,Governance, Risk & Compliance,Humor,Identity & Access,Identity and Access Management,Incident Response,Insider Threats,Malware,Most Read This Week,Network Security,News,Popular Post,Ransomware,Regulatory Compliance,Securing the Cloud,Securing the Edge,Security at the Edge,Security Awareness,Security Boulevard (Original),Security Challenges and Opportunities of Remote Work,Security Operations,Social Engineering,Software Supply Chain Security,Spotlight,Threat Intelligence,Threats & Breaches,Vulnerabilities,Zero-Trust,Arion Kurtaj,Grand Theft Auto,Lapsus$,Rockstar Games,SB Blogwatch,Strawberry Tempest
