If you ask some of the top cybersecurity leaders in the field what’s on their worry list, you might not expect bored teenagers to be top of mind. But in recent years, this entirely new generation of money-driven cybercriminals has caused some of the biggest hacks in history and shows no sign of slowing down.
Meet the “advanced persistent teenagers,” as dubbed by the security community. These are skilled, financially motivated hackers, like Lapsus$ and Scattered Spider, which have proven capable of digitally breaking into hotel chains, casinos, and technology giants. By using tactics that rely on credible email lures and convincing phone calls posing as a company’s help desk, these hackers can trick unsuspecting employees into giving up their corporate passwords or network access.
These attacks are highly effective, have caused huge data breaches affecting millions of people, and resulted in huge ransoms paid to make the hackers go away. By demonstrating hacking capabilities once limited to only a few nation states, the threat from bored teenagers has prompted many companies to reckon with the realization that they don’t know if the employees on their networks are really who they say they are, and not actually a stealthy hacker.
From the points of view of two leading security veterans, have we underestimated the threat from bored teenagers?
“Maybe not for much longer,” said Darren Gruber, technical advisor in the Office of Security and Trust at database giant MongoDB, during an onstage panel at TechCrunch Disrupt on Tuesday. “They don’t feel as threatened, they may not be in U.S. jurisdictions, and they tend to be very technical and learn these things in different venues,” said Gruber.
Plus, a key automatic advantage is that these threat groups also have a lot of time on their hands.
“It’s a different motivation than the traditional adversaries that enterprises see,” Gruber told the audience.
Gruber has firsthand experience dealing with some of these threats. MongoDB had an intrusion at the end of 2023 that led to the theft of some metadata, like customer contact information, but no evidence of access to customer systems or databases. The breach was limited, by all accounts, and Gruber said the attack matched tactics used by Scattered Spider. The attackers used a phishing lure to gain access to MongoDB’s internal network as if they were an employee, he said.
Having that attribution can help network defenders defend against future attacks, said Gruber. “It helps to know who you’re dealing with,” he said.
Heather Gantt-Evans, the chief information security officer at fintech card issuing giant Marqeta, who spoke alongside Gruber at TechCrunch Disrupt, told the audience that the motivations of these emerging threat groups of teenagers and young adults are “incredibly unpredictable,” but that their tactics and techniques weren’t particularly advanced, like sending phishing emails and tricking employees at phone companies into transferring someone’s phone number.
“The trend that we’re seeing is really around insider threat,” said Gantt-Evans. “It’s much more easier to manipulate your way in through a person than through hacking in with elaborate malware and exploitation of vulnerabilities, and they’re going to keep doing that.”
“Some of the biggest threats that we’re looking at right now relate to identity, and there’s a lot of questions about social engineering,” said Gruber.
The attack surface isn’t just limited to email or text phishing, he said, but any system that interacts with your employees or your customers. That’s why identity and access management are top of mind for companies like MongoDB to ensure that only employees are accessing the network.
Gantt-Evans said that these are all “human element” attacks, and that combined with the hackers’ often unpredictable motivations, “we have a lot to learn from,” including the neurodivergent ways that some of these younger hackers think and operate.
“They don’t care that you’re not good at a mixer,” said Gantt-Evans. “We in cybersecurity need to do a better job at embracing neurodiverse talent, as well.”