Uber office in San Francisco: victim of an "advanced persistent teenager"?
Photo: JUSTIN SULLIVAN/ AFP
The City of London Police announced on Twitter the arrest of a 17-year-old in Oxfordshire.
In cooperation with the National Cyber Crime Unit (NCCU), the arrest was made on Thursday evening, it is said, “on suspicion of hacking”.
The suspect remains in custody.
The announcement does not reveal more, and the police did not want to say more even when asked by the media.
But then why should the arrest of a single teenager justify this tweet?
The most obvious assumption is that the investigators assume that they caught the hacker or one of the hackers who recently penetrated Uber's systems and, in another case, copied internal material from Rockstar Games about its video game "GTA VI" and posted it on the Internet had asked.
In the Uber case, the perpetrator said about himself that he was only 18 years old.
Comeback after several police actions?
The dispatcher had accused the hacker group Lapsus$ in its investigation of the incident and referred to reports according to which the Rockstar Games hacker had claimed that he was also the Uber hacker.
If that were the case, the whole thing would be a kind of comeback for the hacker group that made international headlines in the spring.
At the time, Lapsus$ had exposed Microsoft, Vodafone, Ubisoft, Samsung, Nvidia, LG and Okta by gaining access to the tech companies' internal data and partially publishing it, with all sorts of bragging rights.
But after British police briefly arrested seven suspects, aged between 16 and 21, as part of "an investigation into a hacking group" in March, things had gone quiet around Lapsus$.
On Telegram, the apparently international group announced a kind of hacker vacation.
Also in August, the Brazilian Federal Police carried out searches and seizures against a "transnational criminal organization" matching Lapsus$'s description.
The only thing that is certain so far is that at least the Uber incident fits in with the typical approach of Lapsus$.
The company stated that the perpetrator or perpetrators had probably bought the access data of an external employee on the dark web, which had been stolen by someone at some point, and tried them out again and again.
However, because Uber protects itself with two-factor authentication, the person concerned repeatedly received messages asking them to confirm the log-in attempt.
According to their own information, the perpetrator or perpetrators finally persuaded him to do so via WhatsApp, where they pretended to be Uber-IT.
In the IT security industry, this scam now has a name: »MFA fatigue attack«, multi-factor authentication fatigue attack.
The victims are annoyed with the MFA notifications until, annoyed by the supposed malfunction, they click on the "Accept" button to finally be able to continue working in peace.
"Advanced Persistent Teenagers"
The alleged 18-year-old has already earned a nickname for his persistence.
Based on the term Advanced Persistent Threat (APT), which is used to describe technically advanced, ongoing threats, for example from state hacker groups, a leading security expert from Google has already named the alleged perpetrator "Advanced Persistent Teenager".
It's more than a joke.
In the meantime, several experts have noticed that groups like Lapsus$ expose the weaknesses of today's IT systems, which at first glance appear to be quite well secured, through perseverance and with the help of well-known methods such as social engineering, thereby driving the security industry in front of them .
MFA fatigue attacks, for example, are comparatively new.
But the fact that they are obviously successful puts organizations under pressure.
If they have already introduced a multi-factor registration, then it was usually not that long ago and is certainly complicated and time-consuming enough for parts of the workforce.
Should they still change the login procedure again and confuse or annoy their own people?
Should they wait until after Apple, Microsoft and enough other large providers implement the open standard FIDO (Fast Identity Online) for passwordless and at the same time secure login (read more about this here)?
In any case, hoping that the phenomenon would disappear after Thursday's arrest would not be a better solution.