A new generation of hacker is here. Research by the UK’s National Crime Agency (NCA) suggests that people as young as 12 could be at risk of becoming involved in cyber-dependent criminality. Let that sink in for a second.
The societal implications of adolescents involved in serious crime is one that would stir the emotions of many. And it is set against a challenging landscape for authorities trying to police it, often across international borders.
One such example is the LAPSUS$ cybercrime group, which has claimed several high-profile scalps including Microsoft, T-Mobile, and the Brazilian Ministry of Health, to name a few.
Seven people aged between 16 and 21 with alleged links to the group were arrested by City of London Police in March, and two teenagers have since been charged for hacking offences.
Putting aside the size and scale of these breaches, it is perhaps the age of the alleged perpetrators which is most shocking.
It is just one example in an overall trend which begs the question: how are teens ending up involved with underworld activity? The reasons are complex and nuanced.
Some may be looking to reap financial rewards, but for others the objective is to complete a challenge, gain a sense of achievement, and win a ‘badge of honour’ within their peer group.
Their initial motivations may also have been driven by wider issues in modern society, forcing them down a path of criminality. For others, they may now be trapped into doing the bidding of criminal gangs with no easy way to escape.
And it is today’s increasingly cloud-based economy which could be fuelling this trend further. In this article I’ll explore the impact of a cybercriminal marketplace switch from a direct sales model to a managed service model. The result is a swell of young people sucked into a life of crime because of ‘cybercrime-as-a-service’.
Teen hackers arming themselves
The security community underestimates the younger generation. We forget teens today have not only grown up with computers, but also have access to an unprecedented number of educational resources on programming and offensive security.
While the list of targets LAPSUS$ has breached is impressive, the techniques used to compromise were not novel, nor were zero-day exploits used.
They took advantage of the difficulty large organisations face in managing disperse workforces and networks, with the success likely enabled by the ‘cybercrime-as-a-service’ market.
It works by following the same idea as other ‘as-a-service’ offerings in business, but with a criminal twist. Those who have written malicious code rent out access to their own “cybercrime solutions” to lower-level criminals who either don’t have the resources or know-how to design, write, and execute cyberattacks on their own.
The pay-off is a cut of any profits made in an attack which uses the code. For those starting out in this illicit world, it gives access to a suite of tools to commit criminal enterprise, including malware, stolen databases, social engineering attacks, and more. And as these malicious actors continue to specialise, it increases competition within the marketplace as well as the effectiveness of their code.
Ultimately, with the barriers to entry reduced, it is much easier for new entrants to launch threats.
How do teenagers learn to carry out these kinds of attacks?
Age is increasingly less of a factor when it comes to cybercrime, as many hackers start out as tinkerers from very early on.
Whether it’s playing with code or hacking items around the home, in most cases these individuals are self-taught. And there’s a thriving collaborative community online which caters to aspiring hackers.
Everything is available from tutorials on how to perform different types of attacks, to services to help attackers monetize stolen data.
Couple this illicit opportunity with lower barriers to entry and it fuels a growing swell of young people involved in crime.
But this comes with clear risks. It goes without saying it is breaking the law online by using their coding skills to develop malware or get involved in other cyber criminality. If caught, the penalties are extremely serious, such as imprisonment, or even extradition to a foreign power.
Naivety, gullibility, and inexperience of youth is also ripe for exploitation by other criminals. It can lead to some kids being a pawn in a wider game, or carrying out the bidding for a criminal gang online – while carrying all the consequences of their actions.
Cybercrime-as-a-service creates a level playing field
The size of cybercrime groups can vary considerably, ranging from nation states with near unlimited resources, to organised groups of differing sizes who are mostly motivated by profit. These hacking collectives will cherry pick targets looking for the biggest reward.
Where nation states will hack for intelligence, smaller groups such as LAPSUS$ can inflict just as much damage, though we often see different goals – such as stealing source code.
We also see individual lone wolf ‘script kids’ looking to make a name for themselves, often armed with code procured from the cybercrime-as-a-service marketplace. It levels the playing field with these larger groups, so to speak.
Ultimately, it’s this marketplace which is putting frighteningly powerful tools in the hands of anyone wanting to exploit them, as well as exposing young people to extremely serious crimes which could appear novel from their perspective.
Much greater education is needed as a result, both for the businesses tasked with protecting their customer data and IP, as well as in the education system more broadly.
The risks for young people being drawn into a life of crime needs to be clearly communicated, in a similar way to other serious crimes such as drugs and violence.
It also calls into question the wider societal reasons why young people are drawn into crime generally, and the need to protect them. And just because a cyber attack can be carried out from a bedroom at home, doesn’t make it any less serious.