Page 41 - Cyber Defense eMagazine Annual RSA Edition for 2024
P. 41
Today, supply chain attacks, AI-enabled advanced persistent threats (APTs), and insecure IoT have
taken what I imagined and made it worse. Recent issues at social media sites, media & communications
sites, and critical infrastructure & services repeatedly demonstrate how fragile online infrastructure is. In
May 2022, the entire country of Costa Rica was shut down, and a state of emergency was declared due
to a ransomware attack.
So, we know it is possible to bring down countries. But who will be able to do that?
CyberDefense Magazine has a list of the Top 100 Cybersecurity Hackers. Most of the people on the list
are reformed, incarcerated, or dead. All were very successful in their cyberattacks, but none were as
driven or as dangerous as someone not on the list.
History is full of famous criminals: Adolf Hitler, Bonnie & Clyde, Pablo Escobar, Julian Assange, and now,
Arion Kurtaj. Now 18, Kurtaj was an underage teenage hacker from Oxford, UK, and a member of the
Lapsus$ group, a mostly teenage threat actor group that attacked dozens of well-known companies and
government agencies around the world in 2021 and 2022.
Lapsus$ came to public attention in December 2021 after attacking Brazil’s Ministry of Health, stealing
50TB of data, and demanding a ransom to not publish any of the data. They were responsible for
breaching Okta, Microsoft, and Samsung, among others, stealing data and again extorting ransom to not
post the data online. The attacker group was so brazen, they maintained a Telegram channel where they
announced when and where they would publish stolen data drops and conducted polls to determine what
targets to attack. In 2022, the Lapsus$ channel had over 45,000 subscribers.
Kurtaj is thought to be the founder of Lapsus$ at age 16 with another teen hacker from Brazil. At the age
of 17, he was arrested in March 2022 with other teen hackers for attacking and stealing data from NVIDIA
and UK phone company BT/EE. They had leaked some sensitive data as an incentive for NVIDIA to pay
a ransom. After his arrest, Kurtaj was “doxxed” by a rival cybergang who posted his family’s personal
information online. While out on bail in September 2022 and with his laptop confiscated, Kurtaj was
moved to a budget hotel for his safety. There, he quickly hacked both Uber and Rockstar Games, stealing
video clips of the unreleased Grand Theft Auto 6 games using only a smartphone, an Amazon firestick,
41