Epl 12: Lapsus$: The kiddies are alright

DINA TEMPLE-RASTON (tape): Is Okta or Octa?

JIM GREEN: Yeah, I had to learn that as well. It's Octa…

TEMPLE-RASTON: Jim Green is the head of government affairs at Okta. Even if you
don’t know how to pronounce the company name… you may have used it.

Okta is what’s known as an identity management platform…

Companies use it to stop people from breaking into their networks…

You log in, and Okta sends you a code or an email to make sure that you’ve got
permission to enter the network.

Which is why in March 2022, the tech world collectively gasped when screenshots of
what looked to be like a hack on the company suddenly appeared in a Telegram
channel

TEMPLE-RASTON: If you’re not already aware, there are reports that Okta has been
hacked. They are one of the biggest companies that offer SSO and multi-factor
authentication, so pretty much all the important stuff that we never want to get
hacked.….

But as investigators looked into it, the breach became both less and more troubling.

It looked like the culprits weren’t some stealthy nation-state hacking collective… or
Russian-speaking ransomware gang…

Instead they were an unpredictable, hard to control, impulsive lot that seemed
strangely….unafraid of getting caught.

And THAT combination has presented a new kind of challenge.

1
BRETT WINTERFORD: Every organization right now has a playbook for what happens
when your network is compromised by a ransomware gang and you have to respond
very quickly. There isn't really a playbook for this.

TEMPLE-RASTON: I’m Dina Temple-Raston and this… is Click Here, a podcast about
all things cyber and intelligence.

Today, a deep dive into a new kind of hacking threat – and it has sent security officials
scrambling…

Stay with us.

MUSIC ROLL

TEMPLE-RASTON: Brett Winterford is Okta’s regional chief security officer.

And he was in a client meeting last month when the alarming emails started streaming
in.

WINTERFORD: The first message that I received on my phone said, it looks like you're
going to have a bad day, and the second message had the screenshots.

TEMPLE-RASTON: The screenshots were helpfully annotated pictures with captions

that read things like: photos from our access to Okta.com.

TEMPLE-RASTON (tape): And you're reading these screenshots, I guess, trying to

have a poker face in front of a customer.

WINTERFORD: I don't think I have that good a poker face.

MUSIC BUMP…

TEMPLE-RASTON: The screenshots seemed to indicate that a technical support

engineer’s account had been compromised…

2
Which meant, potentially, that hackers had the power to change passwords,
authenticate accounts… Just. Bad. Stuff.

And it wasn’t just Okta in their crosshairs: All their customers could be at risk. The
screenshot ended with a smirking emoji.

WINTERFORD: From the first moment that these screenshots were published, we had
two things in mind, right? One figure out exactly what happened from a technical
perspective, technical impact, and two get in front of our customers and explain to them
what had happened.

MUSIC BUMP…

TEMPLE-RASTON: They traced it back to a hack of a third party vendor in

January…one they thought they’d already dealt with.

WINTERFORD: so our first research question is to go back and say, were our
conclusions from that event correct?

TEMPLE-RASTON: They reviewed what they’d done back in January… Among other
things, they’d caught an illegal password change on an account.

It had all the typical red flags. A suspicious I.P address… Failed two factor
authentication tests…

And Okta had responded exactly how they’d needed to… everything looked as it
should. Crisis averted. Which is why it was so frustrating that the hackers were publicly
saying exactly the opposite.

MUSIC CRESCENDOS…

NEWS TAPE: ….FBI San Francisco says a hacking group called Lapsus$...has been
stealing company’s data, threatening to leak it unless the company pays a ransom in
bitcoin….

TEMPLE-RASTON: Lapsus$... A cyber gang that first burst on the global hacking scene
just this past December, with a hack on the Ministry of Health in Brazil. They stole
source code and deleted data… They seemed obsessed with source code. They took
source code graphics and computer chip maker NVIDIA… And then again from the
consumer electronics giant Samsung.

3
WINTERFORD: Our threat intelligence team at Okta had been monitoring Lapsus$. we
kind of viewed them as the kind of adversary that you could come across just because
of how prolific they were and how little attention they paid to OPSEC.

TEMPLE-RASTON: OP-SEC, operational security. They didn’t seem to care if people

knew who they were… Instead they seemed to be on a reckless, ego-motivated
hacking spree… Cracking into companies… posting their latest exploits on a Lapsus$
Telegram channel that had some 60,000 subscribers…

WINTERFORD: They seemed to be crafty and resourceful and had a lot of time on their
hands, And, you know, a lot of folks had remarked at the time that it reminded them
these kind of groups that, um, that just almost love hacking for the notoriety more than
anything else.

TEMPLE-RASTON: And the Okta hack offered the illicit thrill of compromising a
well-known technology platform. Though, WINTERFORD said, studying the logs
afterwards… the way they moved around was odd… Like they didn’t really know what
the third party they cracked into – a company called Sykes Sitel… actually did…

WINTERFORD: They were really just in an experimental mode or a discovery mode,

trying to figure out what could, how could they leverage that access in some way?

TEMPLE-RASTON: They’d try to get into a privileged account in one way… get blocked
and then give up and try another. It wasn’t methodical, it was frenetic.

WINTERFORD: Uh, I guess it's a different kind of adversary might've been more patient
and might've performed more discovery. Uh, these, these threat actors is very much all
about, you know, try it out and find out

TEMPLE-RASTON: And if that strategy sounds weirdly familiar, it should. It is an

adolescent strategy… it turns out that’s exactly what Lapsus$ was… a bunch of
teenagers just seeing what they could get away with. In fact, those Okta screenshots…
the ones that were supposed to ruin Winterford’s day… members of Lapsus$ might
have… well… exaggerated a bit.

(PICK UP PACE OF MUSIC HERE)

4
TEMPLE-RASTON: They hadn’t cracked into Okta’s network…They had compromised
ONE account… they sat in on client sessions… It was a very limited… but what fun is
there in saying THAT? So they did what teenagers often do….

They took some strategic screenshots… wrote some creative captions… and, just like
that, they looked like an invincible hacking crew that had just compromised a giant
company…

Even though… it appears… they didn’t really.

MUSIC UP AND OUT

TEMPLE-RASTON: In the end, the hackers compromised two Okta customers… two…

WINTERFORD: And there was only one session that was in scope for us // And that
was a 25 minute period of activity.

TEMPLE-RASTON: But that only came out definitively months later…in fact, Okta
announced it just last week… a few days before they said they would no longer be
using Sitel as a third party vendor.

WINTERFORD: in a sense, they didn't really need to perform any account takeovers or
configuration changes or anything of that nature to have some impact that would, um,
you know, make them more notorious.

TEMPLE-RASTON: Which presents a HUGE problem: how do you protect your

company from something like that? A hacker disinformation campaign… Because while
a hacker can swipe source code and hold information for ransom another arrow in their
quiver is a company’s reputation…They can strike at that… and sometimes that’s even
harder to fix.

WINTERFORD: There isn't really a playbook for when a bunch of hackers break into
your third party support provider, and then, you know, observe thin client sessions of a
technical support engineer, take screenshots and publish them on their telegram
channel. It's just not a scenario you come up with for a tabletop exercise.

TEMPLE-RASTON: When we come back… how a bunch of teenagers took aim at a

little company called Microsoft… and the retro way they did it.

This is Click Here.

5
Stay with us.

—-

MUSIC BUMP

—--

TEMPLE-RASTON: it actually isn’t hard to find the person who is the alleged leader of
Lapsus$. He’s 17 and lives in the UK. Because he’s a minor we’re not using his name…
we reached out to him… we sent his parents a bunch of emails…

And they didn’t respond. But even without speaking to him or his parents directly you
can learn a lot about him.

TEMPLE-RASTON (tape): So are you like a private cyber, uh, detective.

ALLISON NIXON: Ooh, that's a really good way of putting it.

Allison Nixon is the chief researcher at a cyber security company called Unit 2-TWENTY
ONE b and she’s been tracking Lapsus$ and some of its earlier iterations for a while
now.

TEMPLE-RASTON (tape): Could you tell us more about their leader? I mean it must be
sort of odd to be a detective chasing teenagers.

NIXON: I don't know. I mean, I guess his hobbies include re-offending.

TEMPLE-RASTON: Nixon says he’s left quite a digital trail..

NIXON: So profile for the leader of Lapsis$. Um, I'd say that he's been involved in the
script kiddie community for a very long time.

TEMPLE-RASTON: Script kiddies are people who can’t really code but use other
hacking tools – like social engineering – to crack into systems…

NIXON: Just because he's under 18 doesn't mean that he lacks years of experience in
the criminal underground, because he really does have years of experience.

6
TEMPLE-RASTON (tape): How do you know that?

NIXON: I know that because when you start digging into his online profiles and his
historical posts and activity, you'll find his accounts go pretty far back. And when you
read the material on that, Um, and look at the dates of when they were posted. You're
the only conclusion you can come to is that this kid has a lot of years of experience in
the criminal underground.

TEMPLE-RASTON: One of his screen names is White and… we dug a little more… and
we found lots of people who knew him….They talked to us but didn’t want to be
recorded. Some claimed he hacked their bank accounts, shut down their Xbox’s and
demanded money to open them up again.

Nixon says they’re really different from other hacking crews she’s followed.

NIXON: For one they are not using malware instead they are going old school. They are
downloading the data, deleting it, and then demanding money in exchange for it
(under)…

TEMPLE-RASTON: No elegant malware shells… No zero days exploits. Their hacking

gifts appear to be more mundane: They are really good at finding gullible people who
either click on the wrong thing… or can be sweet-talked into accidentally providing
access…

Which, if you’re a big company, presents a HUGE problem.

You can build walls and virus scanners against code…

But when the vulnerabilities are carbon units – you know them as human beings — well,
that’s a lot harder to prevent…

and human beings appear to be Lapsus$ specialty.

MUSIC BUMP

Nixon said White was also clearly big into a scheme known as SIM swapping.

NEWS TAPE:These scams netted criminals $68 million dollars last year… these so call
sim swaps happen when a scammer transfers your phone number to a new device
without your authorization…

7
TEMPLE-RASTON: SIM swapping involves someone convincing your carrier to switch
your phone number over to a SIM card that they have…Once that happens --- at least in
a hacker kind of way. --- the world is your oyster.

Armed with that they can complete text-based two-factor authentication checks –
remember that’s how Okta works… they can steal your personal information…or trick
services into coughing up passwords. Sound crazy? Not so much.

CLIP1: Ah, boy, the Lapsus$ has been busy. They’ve hacked Microsoft, leaking….

CLIP 2: claimed to be source code for Bing, Bing maps, and Cortana. They leaked…

TEMPLE-RASTON: Microsoft dug into the hack and came up with a list of Lapsus$’
favored techniques. SIM swapping was among them, although it appeared in the case
of the Microsoft hack they used a password stealer and purchased credentials from
Darkweb forums.

Nixon says all these old-school techniques have allowed Lapsus$ to seem like big dog
hackers.

NIXON: The total volume of takeovers is going to be low and it's probably going to
always be low. But the targets that they choose are always going to be high profile,
important high value targets.

TEMPLE-RASTON: People who will pay you a lot of money to get their phone numbers
back. Some estimates say Lapsus$’ has raked in some $14 million from its victims just
since December.

NIXON: It’s something that people need to think about because if threat actors are
going to be casing out your employee's entire life and putting a ton of effort into taking
over your employee's account at work, just to steal access to employee tools and
manipulate your customer accounts that is a very dangerous threat.

MUSIC BUMP

TEMPLE-RASTON: Teenagers have a talent for being their own worst enemy. And in
the case of Lapsus$, its members have the unfortunate habit of blurting out things in
their Telegram channel… stupid things…

8
NIXON: They are sitting in that chat room chatting and sometimes airing out their dirty
laundry in the chat group…

TEMPLE-RASTON: Dirty laundry like posting members’ real names, and addresses and
emails… I’m familiar with this kind of behavior. And not just because I was once a
teenager…

Back in 2018, I created and hosted a podcast called What Were You Thinking…

TEMPLE-RASTON (from What Were You Thinking): ….A show in which we look at
kids’ decisions, study their developing brains, and try to figure out what we might be
able to do to help them choose more wisely.

TEMPLE-RASTON: One of the episodes was about adolescent hackers… and I talked
to a lot of them.

TEMPLE-RASTON (from What Were You Thinking): Everyone makes bad decisions,
but I think we can agree that adolescents tend make more of them….… FADE
UNDER…

TEMPLE-RASTON: The short version is that studies show that levels of dopamine in
the brain lead to all kinds of behaviors…Too much dopamine in one part of the brain is
linked to psychosis and too little in others can make you look for ways to increase it.
And one way to give it a boost is to take risks. Which Allison Nixon says could help
explain some of the behavior we’ve seen from Lapsus$.

NIXON: Because of this ego motivation coloring a lot of their actions. It sabotages a lot
of their operations. Actually. It's, it's often times an active self-sabotage when these
people are bragging about stuff and trying to flex and trying to, um, show off and show
how dominating they are over other people. That's a huge reason why a lot of them get
caught.

TEMPLE-RASTON: Which is precisely what happened a few weeks ago. At the end of
March, the City of London Police announced the arrest of seven people in connection
with the Lapsus$ investigation. We reached out to London police, but a spokesperson
declined to comment. But, they DID say publicly the seven were all between the ages of
16 and 21. A short time later, Lapsus$ announced in its Telegram channel that some of
its members were taking a “vacation.” Nixon says there’s a lesson here: there is a whole
crop of young people who have been dabbling at the edges of the hacking world… and
they could be waiting in the wings to strike.

9
NIXON: Um, the script kitties are growing up here and SIM swapping methods are being
used for more and more high-profile attacks.

TEMPLE-RASTON: And this is just the beginning. As if to make the point, Lapsus$
claimed on April 20th that it had hacked a company called Globant. It provides software
services to big companies like Disney and Google. The group posted a screenshot in its
Telegram channel… and it showed a roster of folder names labeled with brands like
Facebook, DHL and C-SPAN.

When we come back, we found another story about teenage hackers that was just too
fun not to share… And it happened almost sixty years ago.

Stay with us.

—-

BREAK 2

—-

TEMPLE-RASTON: So we have one more youthful hacking story that took place when
teenage hacking wasn’t even a thing… The year was 1964 … and back then
computers were so big, they filled an entire office building floor.

MICHAEL SHAMOS: I remember the day as if it were virtually yesterday

TEMPLE-RASTON: Michael Shamos is a distinguished career professor at Carnegie

Mellon University. And this story starts almost like a joke. Two high school kids walk into
the IBM data center at 59th and Madison in New York…

SHAMOS: And it was a very well-known place at the time because it was on the ground
floor. So anybody walking by on Madison avenue would be able to look in and see these
computers with their tape drives, turning and lights flashing.

1960’s IBM video: These machines are things of gleaming color metal and numerous
flashing lights…(music under)

SHAMOS: And so you knew that IBM was up to something in that place.

10
TEMPLE-RASTON: And Shamos and a buddy of his walk in and ask a crazy question.

SHAMOS: Would it be possible during idle time for you to allow us to use, uh, the IBM
70 94?

TEMPLE-RASTON: It was IBM’s fastest computer – and it cost $900 an hour to use.

SHAMOS: We said enough technical things that he realized that we knew what we were
doing. And so he said, sure.

TEMPLE-RASTON: To this day, Shamos isn’t sure why they said yes…Now, back then
computer punch cards booted up a computer. You’d put a card into the reader and that
single card had enough information to tell the machine to go to a particular tape drive
and start executing instructions. The cards were those long rectangular cards… and
Shamos and his buddy were curious how they worked…They did some math and
realized that if they changed one hole on the card… just one hole… they could probably
stop the machine from rebooting. They made a test card… put it in the computer and
boom… it worked.

SHAMOS: And then the devilish idea occurred that if we made many copies of this card
and we put a lot of them into that big box that they've got on the console, then at some
random time when they needed to reboot the machine, there was some good chance
that they would pick the bad card. And they wouldn't be able to reboot the machine.

TEMPLE-RASTON: They made 100 copies of their altered card.

SHAMOS: and we kind of randomly shuffled them into the box that the operators used
and just left it there.

c Shamos and his buddy used to spend a lot of time at the IBM building… waiting to get
some computer time when no one else was using them…

So they didn’t attract any suspicion as they just sat there… waiting until one of their bad
cards was finally fished out of the pile…

SHAMOS: And we're standing there and we're watching and we figured, you know, they
would diagnose the problem really quickly.

11
TEMPLE-RASTON: But they didn’t. They went to the back room, brought out another
copy of the operating system tape, mounted that… then the same thing happened
again.

SHAMOS: They tried running machine diagnostics. None of them showed that anything
was wrong with the machine. And now what's going on is IBM can't run any of their
paying jobs… including the national weather service, which was trying to do weather
prediction.

TEMPLE-RASTON: And suddenly it didn’t seem quite so funny.

SHAMOS: We didn't want to fess up. But the best proposition that we had was to get
our cards out of that box so none of them could be used again, but there were so many
people now gathered around this machine, watching what was going on, there was no
possibility of fixing it.

SHAMOS: We're dying. Okay. Because, because if this, if this went on too long without
their making a discovery, we will have to tell them because otherwise we would have
taken down the whole computer center.

TEMPLE-RASTON: Finally one of the IBM engineers picked up one of the cards from
his box on the machine and then went over to a different machine and picked up one of
those cards and help them up to the light…

SHAMOS and he saw that there was one bit difference. And he said, this is the
problem. They never, ever suspected human intervention in this, because the one bit
difference was enough that it could have been caused by a chance error in a machine.

TEMPLE-RASTON: So while 1964 was Freedom Summer for much of the country…
Shamos remembers it as hacker summer… the summer he and a buddy almost took
down the IBM computer center in Manhattan.

SHAMOS: One of my favorite stories too. // Well, I've told it off and on. Not to anybody
of importance. I mean maybe friends. And certainly nobody at IBM.

TEMPLE-RASTON (tape): Certainly nobody at IBM (laughs). Okay.

TEMPLE-RASTON: Because a few years later, Michael Shamos landed his first full-time
job…at IBM.

12
This is Click Here.

HEADLINES:

TEMPLE-RASTON: Here’s what else you need to know about cyber and intelligence
this week.

Google and Mandiant said last week that the number of disclosed and exploited
zero-days reached record highs last year. Zero days are newly discovered
vulnerabilities that vendors don’t know about. The name comes from the number of
days they have to fix it before a hacker uses it… exactly ZERO. Mandiant says it
identified 80 zero-days exploited in the wild, more than double the record volume they
saw in 2019. And Google, which recently bought Mandiant, said its Project Zero found
58 in-the-wild zero-days, the most ever recorded since they began tracking zero days in
2014.

—-

TEMPLE-RASTON: A major cyber attack targeting an underwater cable linking Hawaii’s

telephone, internet, cell phone service was foiled by agents at Homeland Security
Investigations last week. According to a Hawaiian investigative unit of the U.S.
Department of Homeland Security, an international hacking group breached a private
company and attacked the servers that manage the undersea cable that connects
Hawaii and the Pacific region. Frank Pace is the Administrator of the Hawaii Office of
Homeland Security and he says the investigation is continuing.

FRANK PACE: whether it was, you know, truly just a known cyber criminal group that
wanted to compromise individuals or executives within the organization, or to install, uh,
various forms of ransomware to hold their systems hostage, et cetera. That's all what
we're trying to figure out.

TEMPLE-RASTON: DHS has not identified the international hackers or the private
company they targeted publicly.

—-

TEMPLE-RASTON: Since Russia’s invasion of Ukraine, security officials there have

identified at least eight new types of malware with names like AcidRain, and
WhisperGate. It is still unclear who developed these variants of malware, but many

13
attacks have been carried out by Kremlin-backed hacker groups, like Sandworm.
Ukrainian security official Victor Zhora told the Record that understanding what these
new variants can do can help Ukrainian forces detect them early.
—-
TEMPLE-RASTON: And finally a little update on a friend of Click Here, Dmitry
Cher-e-panov…. He ran the Retro Computer Museum in Mariupol, Ukraine that was
destroyed by Russian missiles. He has a new project: he has created a website called
MRPL-life which is meant to help people locate relatives or friends who have gone
missing in the fighting. It allows residents to post pictures and details of relatives or
friends they’re looking for.

DMITRY CHEREPANOV: The idea to make this site came to my mind when I got out of
Mariupol and started looking for my relatives and friends. I hope this site will help people
find each other and those they are looking for.

TEMPLE-RASTON: More than 12,000 people have visited the site since it launched last
week, Cherepanov told us.

TEMPLE-RASTON: Today’s episode was produced by Sean Powers and Will Jarvis,
and it was edited by Karen Duffin, with fact-checking from Darren Ankrom.

Ben Levings-ton composed our theme and original music for the episode. We had
additional music from Blue Dot Sessions.

Click Here is a production of The Record by Recorded Future.

And finally we want to hear from you. Please leave us a review and rating wherever you
get your podcasts. And you can connect with us at Click-Here-show dot com…

I’m Dina Temple-Raston. We’ll be back on Tuesday.

14