A new generation of young cybercriminals has emerged as what is now perceived to be the main security threat to corporations on both sides of the Atlantic. As recently as 12 months ago, highly-organised large cybercriminal gangs working out of geographies like Russia kept CISOs awake at night were perceived as the chief danger. But today, the most terrifying adversaries are teenagers whose hacking skills were honed in the gaming world. Frequently still living at home, some have amassed tens of millions of dollars from online crime.
Last year's high profile cyber-attacks in the UK on retailers Marks & Spencer, the Co-Op and Harrods and the devastating assault on auto-maker Jaguar Land Rover, which halted car production for months and cost the company an estimated £1.9 billion, are all now known to be the work of young hackers loosely affiliated with the Scattered Spider group, sometimes referred to simply as “The Com”, short for “The Community” by its members.
A 17-year-old British man from the West Midlands, 19-year-old Latvian man from the West Midlands, a 19-year-old British man from London and a 20-year-old British woman from Staffordshire have subsequently been arrested in connection with the cyber-attacks on Marks & Spencer, the Co-Op and Harrods, following an investigation by the National Crime Agency (NCA) and are now awaiting trial.
Two teenagers extorted $115m from US firms
There are also numerous examples of other teenagers whose attacks have been equally audacious, sometimes netting the youthful criminals huge fortunes. For instance, 19 year-old Thalha Jubair, from East London, and 18 year-old Owen Flowers, from Walsall, West Midlands, were arrested by the National Crime Agency (NCA) and the City of London Police. The two teenagers are accused of running a $115 million extortion scheme against 47 US firms. They allegedly conspired with others to use social engineering techniques to gain unauthorised access into the computer networks of US companies to steal and encrypt information, before holding the companies to ransom.
But such high-profile arrests are merely the tip of a rapidly expanding iceberg of teenage cybercrime. Today’s youthful hackers are a far cry from the “script kiddies” of a few years ago. Having honed their hacking skills hacking gaming platforms for tokens, they are in a position to download highly sophisticated tools such as the latest ransomware, which are now freely available online.
There is also disturbing evidence that many of these youngsters are now being groomed by older and more experienced cybercriminals. “Like latter-day Fagins recruiting pickpockets, Russian cybercrime groups and the Russian intelligence service continuously monitor the gaming world to talent scout for potential cybercriminals, who they then groom for a life of crime,” warns Fergus Hay, chief executive and co-founder of The Hacking Games, an organisation set up to steer young hackers away from cybercrime towards legitimate careers in cybersecurity.
English-speaking social engineering
What makes this new breed of youthful super-hackers so dangerous is that they combine hacking skills gained via gaming platforms with English-speaking socially-engineered attacks. Typically, they gain access to internal company phone numbers from darkweb sites and then call staff members posing as colleagues or members of the company’s own IT support team. While, for example, a Russian accent might alert a staff member to a potential fraud, English-speaking teenagers with enough technical language are able to sound sufficiently plausible to dupe employees.
The unstructured nature of “The Com” is also a nightmare for law enforcement. Memberships form informal and often fluid partnerships. So there is no formalized network to bust and then take down and law enforcement must track down every hacker individually — a process that is, so far, proving impossible to achieve.