Rise of the Cyber Supervillain
By Guy Rosefelt, Chief Product Officer, Sangfor Technologies
In my Cyber HotSeat Interview with Gary Miliefsky, I made a prediction about the rise of the Cyber Supervillain. This is an uber-hacker with the ability to take the entire world hostage, not company by company or country by country, but in its entirety. How could that be possible? By connecting everything, everywhere together.
Globalization of companies, systems, and data has been ongoing for over 30 years since the commercialization of the internet. In the 21st century, we see a major shift from on-premises infrastructure to cloud computing, whether it be SaaS, IaaS, PaaS, or any other acronym. Thus, everything starts to become connected directly or indirectly.
Many years ago, I wrote about a potential internet apocalypse, where connectivity and services for entire countries or continents would be rendered inoperable. I suggested then that attackers could weaponize the 5G Smart Cities being developed at that time by infecting the multitude of IoT devices deployed (cameras, smart meters for utilities and parking, etc.) and turning the cities into giant DDoS cannons that could attack entire countries. The firepower of the controlled cities could still be increased a thousandfold if a percentage of Android phones used by the population were also compromised.
You are thinking to yourself, “But Guy, how would that even be possible?! There is little evidence to suggest that Android phones could be infected and used on a large scale!”
But it has happened more than once…
In August 2017, the tiny African county São Tomé and Príncipe was hit by a mass botnet infection. While there were only 8,200 mobile phones on the island, 12%, or over 1,000 mobile phones, were likely infected with the WireX malware. This was up from 3 infections in July 2017.
Table 1: São Tomé and Príncipe IP Reputation Data
McAfee’s Mobile Research Team identified a new version of HiddenAds malware on the Google Play Store in August 2022 that disguised itself as various cleaner apps. The malware was updated with the ability to start on its own once installed and had infected over 1 million devices globally.
Top affected countries include South Korea, Japan, and Brazil.
Figure 1. Top affected countries (including South Korea, Japan, and Brazil) by new HiddenAds malware.
Today, supply chain attacks, AI-enabled advanced persistent threats (APTs), and insecure IoT have taken what I imagined and made it worse. Recent issues at social media sites, media & communications sites, and critical infrastructure & services repeatedly demonstrate how fragile online infrastructure is. In May 2022, the entire country of Costa Rica was shut down, and a state of emergency was declared due to a ransomware attack.
So, we know it is possible to bring down countries. But who will be able to do that?
CyberDefense Magazine has a list of the Top 100 Cybersecurity Hackers. Most of the people on the list are reformed, incarcerated, or dead. All were very successful in their cyberattacks, but none were as driven or as dangerous as someone not on the list.
History is full of famous criminals: Adolf Hitler, Bonny & Clyde, Pablo Escobar, Julian Assange, and now, Arion Kurtaj. Now 18, Kurtaj was an underage teenage hacker from Oxford, UK, and a member of the Lapsus$ group, a mostly teenage threat actor group that attacked dozens of well-known companies and government agencies around the world in 2021 and 2022.
Lapsus$ came to public attention in December 2021 after attacking Brazil’s Ministry of Health, stealing 50TB of data, and demanding a ransom to not publish any of the data. They were responsible for breaching Okta, Microsoft, and Samsung, among others, stealing data and again extorting ransom to not post the data online. The attacker group was so brazen, they maintained a Telegram channel where they announced when and where they would publish stolen data drops and conducted polls to determine what targets to attack. In 2022, the Lapsus$ channel had over 45,000 subscribers.
Kurtaj is thought to be the founder of Lapsus$ at age 16 with another teen hacker from Brazil. At the age of 17, he was arrested in March 2022 with other teen hackers for attacking and stealing data from NVIDIA and UK phone company BT/EE. They had leaked some sensitive data as an incentive for NVIDIA to pay a ransom. After his arrest, Kurtaj was “doxxed” by a rival cybergang who posted his family’s personal information online. While out on bail in September 2022 and with his laptop confiscated, Kurtaj was moved to a budget hotel for his safety. There, he quickly hacked both Uber and Rockstar Games, stealing video clips of the unreleased Grand Theft Auto 6 games using only a smartphone, an Amazon firestick, Bluetooth keyboard and mouse, and hotel room TV. The attack was discovered when Kurtaj released the stolen video clips, and he was immediately arrested again.
Because Kurtaj was previously diagnosed at an early age with severe autism, he was found unfit to stand trial. Instead, the judge asked a courtroom jury to “determine whether or not he did the acts alleged — not if he did it with criminal intent.” The jury determined that he did commit the alleged crimes. Evidence was presented to the court that Kurtaj had been violent while in custody, with dozens of reports of injury or property damage. A mental health assessment was conducted during the sentencing hearing and found Kurtaj “continued to express the intent to return to cyber-crime as soon as possible. He is highly motivated.” The judge deemed Kurtaj remained “a high risk of serious harm to the public through skill in gaining unfettered access to computers.” Kurtaj, now 18, was committed to a secure hospital until doctors deem him no longer a danger. Secure mental health hospitals in England and Wales house people deemed to be a danger either to themselves or others on account of their mental illness. Potentially, he could remain in hospital for life.
What makes Kurtaj so special? He is the first hacker to publicly admit all he wants to do is hack. He is a sociopath with the will to cause destruction, just like any movie or comic book supervillain. But there will be more teenage criminals on the rise this year to take his place; disenfranchised teenagers who grew up practicing hacking from a very early age using tools and information readily found on the internet. These teens will join a virtual version of gangs found on the streets in most cities, but these cybergangs have a global reach and access to weapons far more dangerous than drugs and guns. Worse, there is a far less likelihood that cybergang members will be easily identified and caught. Hackers learn lessons from other hackers, and new internet privacy protection tools also protect the identity of hackers. AI will make their attacks stealthier and almost impossible to detect without AI-enabled detection tools that are still in their infancy. Trend Micro published an interesting blog post about the different criminal undergrounds that exist globally, but even that is changing as teen cybergangs arise. These cybergangs will produce more cyber supervillains who will try to bring about the internet apocalypse for fame or gain. They will fight each other for cyber territory and global supremacy, just as gangs fight to secure neighborhoods and criminal enterprises today. When that happens, we will see the cyberspace version of what is happening in Haiti today.
But there will be one that leads a gang – the Cyber Supervillain. Cyber Supervillains will have the drive to achieve their objectives without fail and have the skills to do so. Nothing will get in their way. They will be hyperintelligent, but socially outcast. They will be imaginative and quickly develop new attack strategies and techniques to exploit vulnerabilities. They will have sociopathic, if not psychopathic, traits that allow them to morph their personalities into masters of social engineering. They will launch campaigns against targets to fulfill whatever personal agenda they have but mostly to satisfy their own ego.
This will make defending against cyber supervillains extremely difficult. Organizations need to deploy the best cybersecurity defenses for their requirements and environments. They need to be diligent about updates and patches. They need to conduct regular vulnerability assessments to find and close attack surfaces. But the more difficult challenge will be training people to recognize social engineering attacks. People want to be friendly and helpful, and this can be easily exploited to give up sensitive information to use in attacks. And that is the Cyber Supervillains greatest superpower.
About the Author
Guy is Chief Product Officer for Sangfor Technologies. He has over 20 years’ experience (though some say it is one year’s experience twenty times) in application and network security, kicking it off with 10 years in the U.S. Air Force, reaching rank of captain. After his time in the USAF building the first fiber to the desktop LAN and other things you would find in Tom Clancy novels, Guy worked at NGAF, SIEM, WAF and CASB startups as well as big-name brands like Imperva and Citrix. He has spoken at numerous conferences around the world and in people’s living rooms, written articles about the coming Internet Apocalypse, and even managed to occasionally lead teams that designed and built security stuff. Guy is thrilled to be in his current position at Sangfor — partly because he was promised there would always be Coke Zero in the breakroom. His favorite cake is German Chocolate. Guy can be reached online at https://www.linkedin.com/in/guyrosefelt/ and at Sangfor’s official website: https://www.sangfor.com/.