The Kids Aren't Alright

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray. It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by SpecterOps.

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed.

The Kids Aren't Alright

In recent years we've seen an evolution of the online funnel that turns kids into cybercriminals. 

Over the last decade, cybercrime's reach has broadened, it's become more lucrative and more violent. Governments need to attack and disrupt this funnel at all levels, instead of solely focussing on prosecuting these kids after the damage is done.

Bloomberg has described the path that turned one key individual associated with Scattered Spider from a self-described "weird kid" into an inmate, having been sentenced to ten years in prison. Noah Urban, now 20 years old, stole more than USD$13 million in cryptocurrency after becoming involved in SIM swapping when he was 15. 

When you compare Urban's path to the one taken by teenage hackers a decade ago, the difference is striking. A 2023 Wired article described how three teenagers built the Mirai botnet in the mid-2010s, got caught by the FBI and were reformed. All three now work in the security industry.

One key difference is the Mirai kids were technically adept. One was using his coding skills to develop and sell Minecraft mods, another had created a Minecraft server denial-of-service attack and the third had created a denial-of-service attack that he ran against his own high school.  

By contrast, a decade later, technical nous is barely required to be a successful cybercriminal. Urban was not a hacker. Instead, he was very good at social engineering. Ironically, this is in part because he was taught to be polite at home. Per Bloomberg:  

Noah [Urban] turned out to be a stellar conversationalist with a deep voice that belied his age, able to deceive victims into handing over personal information. He also credits his parents with helping him develop the skills that would later prove effective for social engineering. "Manners and respect, the two biggest lessons I learned as a kid," he says.

Urban got involved in SIM-swapping through Minecraft. A crime group he connected with there paid him $50 for every account takeover he could perform that resulted in a cryptocurrency theft. Urban earned $3,000 in his first week of SIM-swapping. 

This escalated to stealing cryptocurrency directly, rather than just providing SIM-swapping as a service. Urban later admitted to authorities that he'd stolen as much as $15 million from late 2020 to early 2023.  

The Mirai kids also made some good money, but nowhere near the life-changing amount Urban was able to accumulate so quickly. Their most financially successful enterprise involved click fraud, but to us this it still feels like this was work, albeit illegal, rather than straight up theft. 

Physical violence associated with teenage hackers has also escalated. One of the Mirai kids was swatted. Police were called to his parent's house following a hoax emergency services call claiming the kid had shot his mother and was holding the rest of the family hostage. At the time, swatting was viewed as outrageously extreme. Wired described it as the "most dangerous retaliatory measure in the toolkit of nihilist teen hackers". 

That violence was typically motivated by drama within the hacker community. Nowadays, it’s motivated by the vast amounts of cryptocurrency ripe for the taking. And it is far worse. 

In one incident, Urban's mother had bricks lobbed through her windows and she received threatening messages demanding that he pay up. On a separate occasion, Urban received a video showing a kid who had worked for him, seemingly beaten and with guns held to his head. The kid asked that Urban pay a $200,000 ransom for his release. Urban, by then a jaded 18-year-old, didn't pay.   

Physical thuggery aside, even simply the online element of these kids' crimes have become increasingly destructive. Sure, Mirai was disruptive and took down large portions of the internet, albeit for a short time. But that almost feels trivial when compared to Scattered Spider's involvement in the hacking of numerous companies such as MGM Resorts and Marks and Spencer where recovery costs run into the hundreds of millions of dollars. 

There have been recent law enforcement successes. In addition to Urban's sentencing last month, two teenagers associated with Scattered Spider were arrested last week by UK authorities. And another suspected member turned himself in to Las Vegas police this week.  

That's good, but it is too little too late. Unlike the Mirai kids, the chances of reforming Scattered Spider's members seem very slim. Several of them continued to commit social engineering crimes even after being raided or arrested, but at a slower pace. Perhaps most importantly, they simply don't have the kind of technical skills that can easily be redirected to valuable security work. 

So basically everything about the online funnel that recruits kids and turns them into cyber criminals is worse than it was a decade ago. Its aperture is larger. It sucks more young people in because the financial rewards are huge and the technical skills required for success are minimal. The crimes themselves have become more destructive and the scene more violent. And there's no obvious pathway to redemption.

More aggressive and rapid law enforcement is part of the solution. But arresting young adults after they've graduated from a years-long radicalisation pathway and committed multiple serious crimes is the definition of shutting the gate after the horse has bolted. 

Governments need to devote far more effort to aggressive early interventions that disrupt this online pathway.

How the US Can Win: Hit ‘Em Where It Hurts

A recent report by national security think tank, the Center for Strategic and International Studies (CSIS) has presented some fresh thinking on how the US can "win the cyber war". It argues the country needs to stop being a punching bag and instead punish adversaries by hitting them where it hurts. 

The most interesting section of A Playbook for Winning the Cyber War deals with proportionality and deterrence by punishment. It posits the US has responded to damaging cyber attacks far too narrowly, and not proportionately to the aggregate long-term consequences of broader campaigns.

As an example, the report cites America's response to China's long-term campaign of mass intellectual property theft. These responses have been targeted on specific cyber actors that carry out parts of the broader campaign yet "the intellectual property is still lost, as are millions of dollars in research and development". The long-term impacts of IP theft deserve a far stronger response than indictments that target a few foot soldiers. 

The report argues that the US should "embrace a strategy of deterrence by punishment" and use all of its tools of statecraft to respond. Rather than targeting the hands-on-keyboard cyber actor, these punishments should target the state that is ultimately behind the campaign.

The report suggests that:

Cyberattacks may be met with cyberattacks but also with naming-and-shaming efforts, arrests, hefty economic sanctions, and exposure of corrupt government practices to a domestic audience inside a nation's firewall.

If intellectual property theft campaigns against a particular industry were met with tariffs or sanctions targeting that industry, for example, it would undermine the motivation for conducting the campaign in the first place. That could prove effective.

The report even suggests that the punishments shouldn't be defined by the specifics of the cyber attacks. Take China, for example. The report suggests targeting the "five poisons", that the Communist Party regard as the greatest threats to internal security: Democracy advocates, Taiwan, Tibetans, Uyghurs and the Falun Gong.

For example, Beijing's penetration of US power grids could be met with the US releasing detailed satellite photos of Uyghur prison camps. That could work. 

Of course, this strategy can't be implemented out of the blue. The authors note that the shift would require an explicit signalling of the change. It even suggested some wording: "The United States, as of today, is redefining proportionality in the cyber domain…".   

There is much more in the report, including recommendations for a new Cyber Force and to eliminate the dual-hat relationship between NSA and US Cyber Command. 

But the report's key insight is that US efforts to deter adversary cyber activities have been weak and ineffective. For adversaries, the benefits of continuing cyber attacks far outweigh the costs. 

Watch Amberleigh Jack and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. DoD aims to hire faster: The US Department of Defense (aka the Department of WAR!) is aiming to reduce the time it takes to fill vacant cyber security jobs to 25 days. It currently takes 70 days, better than the 80 day benchmark in the rest of the federal government, but well behind the private sector which can be as little as 46 days. CyberScoop has further coverage. 
2. Canada's Mounties get into crypto: The Royal Canadian Mounted Police has gotten into crypto in a big way, by seizing more than CAD$56 million worth from cryptocurrency exchange platform TradeOgre. The platform did not register with Canada's financial tracking authority and didn't carry out its KYC obligations. This is Canada's first seizure of a crypto exchange.  
3. GitHub is tightening npm security: In the wake of a supply chain attack and self-propagating worm last week, GitHub is rolling out a range of security improvements. These include requiring two-factor authentication for package updates and tokens with more granular permissions that have a seven day lifetime. 

Sponsor Section

In this Risky Business sponsor interview, Catalin Cimpanu talks with Jared Atkinson, CTO at SpecterOps. They discuss how SpecterOps is classifying identities into two categories, identities at rest and identities in transit, what they are, and how they should be treated differently.

Shorts

Ransomware Still Exists

We don't talk about it much in this newsletter these days, but it is worth mentioning that two ransomware attacks in recent weeks have had pretty significant impacts. 

One attack affecting Collins Aerospace, a company which manages self-check-in kiosks, caused disruption across hundreds of airports in Europe. The second, affecting Jaguar Land Rover started in late August and looks like it will result in production delays into October.  

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed (RSS, iTunes or Spotify).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq look at a new Center for Strategic and International Studies report A Playbook for Winning the Cyber War.

Or watch it on YouTube!

From Risky Bulletin:

US raids SIM farm in New York: The US Secret Service has raided and dismantled a SIM farm operating at five locations across the New York tri-state area.

Officials seized 300 SIM servers running more than 100,000 SIM cards.

Officials began investigating the SIM farms after they were used earlier this year to make anonymous threats against senior US officials. According to the NYT, two White House and one Secret Service official were on the receiving end of some of those threats.

[more on Risky Bulletin]

Cyberattack disrupts airports across Europe: A cyberattack has disrupted flights at multiple airports across Europe and elsewhere over the weekend.

The attack brought down self-service kiosks used by passengers to check in, drop luggage, and print boarding passes for their flights.

While the kiosks are installed in hundreds of airports, the disruption forced an usually large number of travelers to manual check-in counters, creating cascading delays that slowly bogged down the larger airports as time went on.

[more on Risky Bulletin]

Pentagon has +70K cyber staff, and a lot of overlap: The US Department of Defense has more than 70,000 individuals working on cybersecurity and cyberspace operations, according to a report published this week that provided the first accurate number for such a task force.

The figure includes 61,000 military and civilian personnel and 9,500 temporary contractors, spread across 504 organizations. They work for Cyber Command, the Army, Navy, Marine Corps, Air Force, and Space Force.

[more on Risky Bulletin]