Threat Research

Lured To The Dark Side: The Criminal Hacker Journey, Pt. 1

Play the latest episode
|
Jan 12, 2022
23 minutes

Subscribe

Listen to the Security Intelligence Podcast wherever you get your podcasts.

Lured To The Dark Side: The Criminal Hacker Journey, Pt. 1
January 12, 2022
| |
19 min read

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content.

Into the Breach Podcast: Cyber Tales from the People Who’ve Lived Them

A few years ago, I took a gig as Public Information Officer for our X-Force group. I remember when I was offered the post. The first words out of my mouth to the exec offering me the job were, “I can’t work for you. I have no idea what your team does. All I know is it sounds incredibly cool.”

Well, he eventually talked me into it (obviously) and between us, I’ve never regretted being convinced. I got it right on one point out of the gate, though — and that was the notion that it’s an intriguing area of the business, and in a way like no other. The reason, I think, is it stands at the intersection of technology, crime and law enforcement, and public policy. And because of that, we have the opportunity to make the world both safer and better. Not many areas in tech can make those same claims to fame.

For those of you who are like I was at first, if I had to sum it up I’d tell you that X-Force is essentially IBM Security’s cyber threat intelligence and response unit. We hunt threats, get paid to break into companies who want to know where they’re vulnerable, collect intelligence, and apply all that when we go out to thwart the bad guys (and gals) and remediate organizations who are under attack.

Not every day is like something out of a spy novel, but many of them are. And many connections I’ve made along the way have similar yet unique tales to tell of their own. Now I’m bringing those stories to the airwaves on Into the Breach, where you get to hear them firsthand.

Listen to the episode: Lured To The Dark Side: The Criminal Hacker Journey, Pt. 1

Some highlights include:

  • A former BBC journalist who chronicled the adventures and eventual capture of two teenage hackers
  • A combined private sector and law enforcement agency perspective on what threat intelligence is revealing about the cybercrime economy
  • The alarming potential risks of operational technology and why it’s critical we secure it
  • How the tech structure of cryptocurrency helps cybercriminals elude capture and what role regulation might play in helping law enforcement track them

The miniseries brings to life a set of tales that thrill and inform — and maybe the best part is we do it in a way that makes cyber understandable to everyone. Even for people like my former self a few years back, who don’t know much about the cyber space other than, “it sounds incredibly cool.”

It is.

So join me, and together we’ll venture Into the Breach.

Transcript:

Mitch: If you were to survey a random group of kids, likely very few of them would say, “I want to grow up to be a cyber criminal.” Yet it’s not uncommon for teens to get caught up in the criminal side of cyber. Things like popularity and online forums, lack of the right kind of guidance, and the thrill of a gaming mindset make online mischief a very attractive lure to a young mind.

For today’s episode, we sit down with Chris Quevetra. He is a former BBC journalist-turned-filmmaker and the author of an in-depth article that looks at the world of teen hackers. Chris speaks with us about the criminal hackers he got to know and uncovers their motivation and mindset, and also how they were given a second chance at life.

I am Mitch Mayne, and you are listening to Into the Breach.

Mitch: So Chris, as a journalist for BBC, you covered a wide breadth of stories, I went back online and looked at some of the stuff that you’ve written. And all of them tend to be a little more unique than just a traditional journalist who covers a specific beat, like policy or health. So how did this specific story come to you and tell me about the background that led you here and why this one happened?

Chris: Yeah, working in regional news you get put on a sort of wider range of stories, I guess it’s one of the perks of not working in a specialty. This particular story my editor came to me one day and he said, there’s this company called Blue Screen IT. I’ve come aware of there’s something going on there, you know, with some of the sort of kids they’re hiring. Can you go down and check it out? So I put putting some calls with the company and sort of got friendly with the CEO there. They invited me down to spend some time with their guys and I found out all about their personal stories and some of the guys that they’re hiring, and they’ve got some unique backgrounds and some very strange routes into a professional cybersecurity career.

Mitch: Well, I do like the angle of strange routes, because that kind of is indeed what you discovered there. In the story, you tell the tale of two teenage boys who were at least teenagers at the time that they were caught doing criminal hacking, I guess we call them accidental criminals, right, for lack of a better term. Tell me what you discovered about these boys. You know, briefly what their stories are and what their motivation was, and how they ended up on the criminal side of this with virtually no education in cyber.

Chris: Yeah, I think the keyword in that questionnaire is boys. I think that’s one of the biggest things to take from this is that they absolutely were children. Jack was 19 years old when the police turned up at his house, but he had been spoken to by the police, given something called a cease and desist when he was 16. He said he was watching The Lion King at 10 past eight in the morning when the police turned up. He said there were sort of a few patrol cars and lots of officers all stormed in, you know, as quickly as possible so that he couldn’t sort of delete hard drives and all of this sort of stuff.

Yeah, they were there to arrest him. I think that was when it really sunk in that he had broken the law. Before that, he hadn’t particularly considered himself doing that. He had a really interesting story, actually, he’d started sort of looking into designing code and things when he was a lot younger. When you’re sort of in his early teens, he said he’d been trying to find a quicker way to do algebra. He didn’t want to do the math. He didn’t want to do the arithmetic, he wanted to find a way to do it. So he tried to build a system out of code that would complete algebra for him. He said he didn’t go particularly well, I don’t think he got many correct answers. But it’s sort of really piqued his interest in, I think, sort of finding shortcuts. And sort of finding what I guess at the time, he would have considered efficiencies and ways to do things.

So that was Jack — Cameron started in a similar way, actually. Cameron’s one of the other guys that I spoke to at Blue Screen. He started sort of designing systems and code to try and help him be good in video games as well. He was really competitive, he didn’t want anyone to be his top scores and stuff like that. And so he would design sort of programmes to either make other people worse or make him better during games. And again, it’s that sort of way of efficiency and trying to make shortcuts in and in ways that aren’t particularly breaking the law. But that sort of stems that interest, it really is the root of it all. If you don’t have an outlet first, somewhere to put that talent and that skill and that interest, it grows into things that it shouldn’t.

Mitch: That’s an interesting perspective and one that I sort of gathered from the article as well. There was sort of a gaming mindset going on here rather than a criminal mindset and there may have been an element of not just cutting corners, but also thrill-seeking as a motive here. Were there any similarities between the two boys? Was there like a lack of access to education resources? Were there SES commonalities? Or were these just truly just two random middle-class boys off the street?

Chris: Yeah, I mean, I think there are definitely similarities in obviously, in their interests in what they done when they were younger. I think there’s definitely a sense of thrill-seeking there, for sure. I think when you’ve got a talent, and these guys clearly had talent, you want to have an outlet for it, you want to be able to develop it and grow it and find new ways of testing it. Now, I remember when I was 13, 14 years old, and I had what we call information, communication, technology lessons. I was doing formatting on word processing documents and stuff like that, and learning how to use spreadsheets, but I wasn’t testing out my coding skills and stuff like that. And that’s what these guys wanted to be doing. But they didn’t have an outlet for that at school. You know, no one was teaching them this stuff, no one was testing them on this stuff. And I think certainly there was at the time the lack of education, not just in teaching them what’s legal, and what isn’t. But literally just having a curriculum that can guide these skills, so that you can test yourself and push yourself further, without going over that line into illegal activity that can happen if you do it unsupervised. So there’s definitely a thrill-seeking part there. One hacker I spoke to, not featured in the article had stolen financial records and bank details. You know, he said he had no intention of using them at all hadn’t even crossed his mind. He was just doing it to see if he could, you know, it was just a test for himself. And he hadn’t even considered that it was illegal, although most of that would seem obvious. But when you’re 14, 15 years old, he was just doing it to test himself because he had no way to sort of, I guess, measure himself against his peers or his friends online.

Mitch: That’s an interesting point. And when you and I spoke earlier, we had drawn the analogy of you know, when I was a kid, one of the things that I did was see if I could actually throw my football over the entire house, and it actually went through the neighbor’s window. There was no malicious intent there. But I did indeed break the window. And it was a thrill, I’ll have to admit, and for a 13, 14, 15-year-old kid, to be able to take that gaming mentality that has not been harnessed for lack of a better term for the power of good and test it up against, you know, a major financial institution to be able to get in the door. Whether or not your intent was bad, that must have been quite a thrill for him.

Chris: Yeah, absolutely. And yet incredibly exciting. There must be a feeling there that if you effectively break into a bank, but you have no intention of stealing anything from the vault, then, you know, they’re just going to let you off, you know, you’re a child. But that’s not how it happens at all. Cameron was arrested on his way to school when he was just, you know, 14 years old. When I was 14, I didn’t consider anything I was doing illegal, and I may well have not been doing anything illegal, but those thoughts, those risks just don’t pop up in your head, you don’t think the fact that they’re going to affect you for the rest of your life?

Mitch: Is it safe to say then, that the kids in the interview chose their targets at random, there was no criminal mind mastermind mapping out of who to target it was just, hey, let’s try this website today.

Chris: Yeah, I think there was definitely talk of having sort of mentors online. So I spoke to people who had had an older hacker, perhaps not older, I mean, who knows, I think there was a lot of anonymity there, but certainly more experienced hackers sort of asking them to do things, but it was all sort of tests to get into groups that would hack and things like that, but there was no sort of targeting people in order to be either you know, a nuisance and disrupt websites, or to steal data or financial information. There wasn’t a sense of targeting someone to influence them in some way or to attack them. But I think there were sort of relatively randomly selected targets, just in order to prove yourself or yet test each other.

Mitch: It’s interesting that you mentioned that they ran into, you use the term, mentors. So they lack mentors to help teach them how to use these skills in a professional curriculum, in a professional school setting. Was relatively easy to find mentors who would help teach them to do things with their skills that were against the law. Did you get a sense of what they knew about their criminal fellows or how well organised these networks were or how they found one another?

Chris: I mean, not really, to be honest. I think their sense in terms of organisation, there were definitely handfuls of people and, you know, sort of online gangs that you can join that you had to pass tests to join and that sort of thing. But I don’t know, the scale of the sort of organisation that was going on there. I think, potentially at their age, the sort of groups they were joining weren’t maybe on the sort of organised crime level. But who knows, perhaps they were.

Mitch: In our next episode with Nick Rossmann, who is the head of threat intelligence for X-Force here. The data now demonstrates that this kind of crime that the two boys were found guilty of isn’t really, you know, a solo act any longer. We used to think threat actors were these lone wolves, you know, wearing a hoodie in a coffee shop, or a lonely guy sitting in their parent’s dark basement, but it’s not really the case. And you’ve just sort of made that point. Blackhat hacking has grown into a finely honed industry. And again, probably looking to recruit people like Jack and Cameron. What do you think, based on what you learned in this story, might have become of Jack and Cameron and the other folks at Blue Screen if they hadn’t been caught?

Chris: Well, at 14 and 19 years old, from Cameron and Jack, they would have been charged with a crime. Well, they were charged with a crime, but they weren’t convicted. That’s the difference. So these two guys were arrested — Jack when he was 19, Cameron when he was 14, and both charged with a crime, but they were never convicted because that’s the point at which they were intercepted by the National Crime agency, as people who had the ability to be reformed to the company like Blue Screen IT had they not been put on that path, who knows where they would have ended up. But for Jack, he had initially been stopped by the police when he was 16. And then arrested again when he was 19. So three years on, he was still conducting illegal activity. So if he hadn’t been stopped, then there’s no reason to suggest that wouldn’t have continued. For Cameron, it’s hard to say. I mean, he was stopped so early on when he was 14 years old. He said up to the point that the police arrested him on his way to school. His biggest worry was he hadn’t done his math homework. And then suddenly, yeah, he’s being stopped on his way to school while walking across the playing fields. At that point, who knows, but if he’s at that level, that he’s getting police attention when he’s 14 years old, you can’t imagine it’s going anywhere good.

Mitch: Yeah, that’s true. I was just actually thinking back to things I was doing when I was 14. And I think my biggest concern was, you know, not even homework, but it was more like, does my hair look okay, today? So is that a new zit? It’s a very, very different mindset. And these guys are so clearly intelligent, this just is a fascinating story. You talk a little bit in the story as well about a police officer who was involved in the arrest of at least one of the youth and the police cyber futures programme, whose aim I’m gathering is to nab these kind of, sort of accidental, young criminals and set them on a different path. Did you get a sense at all in the article, as you were writing it, of how many of these youth they’ve managed to capture or what the fate was after their arrest?

Chris: And it’s hard to say and I imagine it’s changed a lot over time. But it sounded like a lot. I mean, I don’t think Jack and Cameron are anomalies in the data, I think there are people that are willing to go on to this cyber futures programme and they’re willing to sort of change teams as it were, and put a different hat on. But there are probably a lot of people that aren’t willing to do that both because they maybe feel that they don’t fit in in that sort of office workplace — a more professional workplace. But also, because they fear sort of repercussions as it were from switching sides, it’s very difficult to shield, sort of what you’re doing from people who are, you know, such prolific hackers online. There will be lots of people that will fear sort of, you know, changing sides and fighting for the good guys.

Mitch: So jumping the fence is something that we could actually consider to be a risky venture, jumping the fence from the dark side to the good side. We have an industry here, Chris that is absolutely clamouring for talent. The statistics are mind-boggling. And every day that there’s a new one that x x million people short of the needed cybersecurity talent in the industry in order to help keep the world safer from government or private industry to two, you name it. And yet here we have a story about these two kids who are, I will bet my retirement on the fact that there’s millions of these kids out there who lack the ability to hone their skills in a way that’s attractive to them. So is there a lesson here, do you think, for the industry?

Chris: I mean, I think when you’re when you’re 14 years old, and you’re sort of getting your teeth into this sort of stuff, it must be really attractive, just because you’re potentially getting an income from it, as well as just messing around and testing yourself, you can potentially get an income from it, and you’re not going to be hired by a cybersecurity firm at the age of 14 at the moment, I suspect, but I don’t know the industry that well. But you know, you can get an income from an early age doing something that you enjoy, something that’s a thrill, something that’s got a bit of risk to it. It’s hard to see what the alternative is for that. There is absolutely a massive pool of people who are talented and can do this job.

Once the article came out on the BBC website, Cameron and Jack were not at Blue Screen IT for long. They got poached by other companies. You know, there were sort of talent spotted as a result of the article and in a slightly jokey way, you know, Blue Screen was saying our article, actually hadn’t been that good for them, because they’d lost a couple of really good members of staff to bigger companies. And so you know, there is an absolute clamour for this type of experience. Absolutely. And, you know, not just people who, you know, have an intricate knowledge of cybersecurity, but people who’ve got active experience of breaking through it. That is a unique thing to have in your CV, and I’d imagine very desirable for companies, they don’t want these crimes to happen in the first place, of course, but once they have that is probably quite a desirable thing to have on your CV, I’d imagine.

Mitch: I just can imagine what their graduate school essays would be. It would be absolutely remarkable, far more interesting than mine. So you experienced a bit more of the uplifting side to cybercrime. There often isn’t a silver lining, but I think that you may have stumbled upon one, with your exposure to Jack and Cameron and the other youth of Blue Screen. Talk to me a little bit about, you know, from somebody looking from the outside in what were the emotions that you experienced while writing and investigating the story, there were probably a lot of them, but give me a primary few.

Chris: It was mainly surreal for me. When I was researching the story, I was 26 years old. These guys were, yeah, a few years younger than me, but the idea that they’d be arrested when they were 14 years old, walking to school, just a few years earlier, it was absolutely surreal. And the idea that these guys sitting in front of me were just four or five years ago, really big names in the online hacker community. I’m sure talked about massively at school, as that kid that got arrested for accessing 1000s of people’s personal details or hacking into a major company. It was just really surreal to sort of be around them, and they’re so normal, really friendly, really nice guys. You wouldn’t know that they had been involved in any sort of criminal activity at all. By the time I met them they’d been in a professional workplace for a couple of years at least. But the idea that they had been responsible for some pretty serious crimes was just really surreal.

Mitch: The story seems surreal to me, as well, I think the most serious problem I ever had as a youth as I grew up in cow country and ranch land, and we had an outside kegger that was busted by the police and I got a ticket for having a beer in my hand at age of 17. And that was absolutely terrifying to me, it was my whole future flashed before my eyes. And so I can imagine what you know, watching The Lion King and having that be interrupted with would be in front in and of itself, but then to be hauled off to jail in charge of something far more serious would be a little alarming.

So Chris, in the story, one of the things that I noticed was that Blue Screen IT actually did some training with the police department, I believe it was, again, the cyber futures programme. And there was an ironic interaction at that point between one of the boys arrested and actually the officer who arrested him. Tell me about that.

Chris: Yeah, it was crazy. So Cameron had been arrested when he was very young. So he was 14 years old. He actually spent some time in a prison cell as well. Or in a holding cell at least. He was arrested by Detective Sergeant John Atkin who’s from the southwest regional cybercrime unit. Years later Cameron’s working at Blue Screen IT. He’s been saved from being convicted with any crimes. And now you know, he’s working his way through the Blue Screen levels and doing different courses, which will give them sort of official qualifications in cybersecurity. You know, luckily for him Blue Screen actually run those courses themselves, and they offer it not just to their own staff, but to anyone who wants to attend.

In his first year at Blue Screen, one of the courses that he attended was run by the company, it was attended by the same police officer, John Atkin, who had arrested him in 2014. He said, I never thought we’d be meeting again on a course when he was arresting me as a 14-year-old. There’s an element now of learning from each other as well. You know, if something comes up in sort of, you know, the forensic examining of digital records, John Atkin is the man to explain it best, but you know if they’re talking about a penetration attack or something like that then you know Cameron’s the guy who’s gonna have more expertise. The best element of this whole story is just how both sides of the coin can give such good input now into fighting cybercrime and it just gives this really nice feeling of sort of hope for those that can change sides or just be diverted onto the right path. That they can have a really sort of meaningful career in cybersecurity and they can be you know, really helpful assets and in the fight against hacking.

Mitch: I agree this was among the more uplifting stories in the cyber realm that I have experienced, which is why I wanted to have a chance to talk with you. I do have to chuckle a little bit about what must have been a just a remarkably awkward moment between the police officer and the kid that had been arrested but again all turned out for the best for all involved it sounds like.

Chris: Yeah, the policeman John Atkin, he was really good-spirited about it, you know, he was like we’re just here on a course you know, we’re both in slightly different sectors of the same industry now. He said Cameron’s a good kid and he’s doing really well you know the future’s bright for him. He said you know hopefully he’ll take this forward and then the world is his oyster so there’s no bad blood there at all you know they were really friendly, they were getting on, they were learning from each other, and I think you know, they put the past behind them and they were yeah they’re both really great guys.

Mitch: Well, it must have been at least a little bit satisfying for the police officer as well to be able to see soon as somebody that he had arrested had actually learned the lesson and gone on to you know, use his superpowers for good so that must have been a little satisfaction, job satisfaction for the officer as well.

So let’s talk about some personal stuff here. You and I spoke a few minutes before this call. And we both agreed to share a little story about what we’ve learned along our journey in cybersecurity. And my original question to you was, did writing this article make you more conscious of your own private data? But what I really want to ask you is, tell me the story about your confidence in your ability to keep your data private, and what you might tell your grandmother today?

Chris: I think of myself as a very open-minded person. But I think, you know, having written a lot of stories about not necessarily in cybersecurity, but people being scammed in all sorts of ways, you know, over the years in national news, there was an element where I was thinking, How do people fall for this stuff? And I’m not talking about getting an email from the son of a prince in another continent somewhere, but you know, just everyday scams, I thought, how do they fall for it?

And then in July, I got scammed. And I think that that that part of my brain that said how do they fall for it, which was a small part, but it was definitely there. As much as I would have hated to admit it, that part just immediately vanished. And I felt very embarrassed. Because it’s so easily done. I was sat in a car park in the Isle of Skye, on the west coast of Scotland on holiday, when I just quickly checked my phone before I set off. I had a text from a delivery company I was in the process of buying quite a big piece of video kit and I had parts coming from all over the world. And it said oh just put the card details in here because you need to pay a three-pound import fee. And so I put my details in and hit send or save or whatever it was, I didn’t come out of my bank account. And I thought it was strange because I definitely put it in, it hasn’t asked me for approval, but it hasn’t come through. My girlfriend said just head back onto that link they send you and see if it links back to the original website. It did not. Once we went on that delivery company’s official website, it did look slightly different all over the place. And I immediately realised that I’d handed my bank details over to a stranger. Thankfully I ordered a new bank card within you know, 10 minutes and no harm done other than the annoying process that I think we’ve all been through even when just your card expires of having to change your bank details on every single website that you use to pay stuff. But thankfully no harm done, but I realised just how easy it is to fall for this stuff you know, when we’re so used to giving our data over multiple times a day for perfectly legitimate reasons and we do it fast as well.

Mitch: My story was I will frankly admit it is embarrassing, Chris. So I mean, IBM is a very, very large technology company, and we take data security very seriously. Every year we have an annual test that we have to go through. For me in cybersecurity, it’s a little more robust than it is for some people in other organisations. And we also do testing to see who is who’s the fool in the ship, right? Send out test emails that are actually generated by our IT department to find out whether or not people are actually paying attention. Well, I got an email and of course, I was on Slack and I was on a WebEx and I was you know, texting someone, and this email came in that said, hey, you’re eligible for a new laptop, and it looked very much like it came from our IT department, and I thought, heck, yeah, I always want a new laptop. So I click the button and then there was the, you know, “wah wah” — okay the bomb exploded, and you’ve completely breached your entire corporation and which was sent to not only my boss, but my boss’s boss, who is the general manager of…

Chris: That seems harsh — does it send to your boss and their boss? That seems really mean.

Mitch: Yes! Well, mercifully, I have a great relationship with both of them. So we, after the embarrassment was over, we did get a good laugh out of it. And now I’m able to tell the story just like you. It’s like it pays to pay attention. When you’re actually clicking on things. Did I hover over the URL to make sure it actually was gonna go where it said it was gonna go? No. Did I really look at the logo to make sure that it was actually the right logo? Or did it just look close? No, I didn’t do that either. So cybercriminals do bank on us being lazy, quick and distracted. I wouldn’t call you lazy, but it definitely worked on my behalf. You can do it when you’re distracted. And it can happen to anybody. It isn’t just somebody who’s remarkably uninformed, who is a victim. It’s those of us who are informed as well.

So Chris, as we close out here, I just want to make sure that everybody who is listening today has an opportunity to read the story about Jack and Cameron if they have not already done so. How do people find that?

Chris: It’s on the BBC website, and it’s called The Teenage Hackers Who Have Been Given a Second Chance.

Mitch: A special thanks to our guest Chris Quevatre for his time and insight for today’s episode.

If you want to hear more stories like this, make sure to subscribe to Into the Breach on Apple Podcasts and Spotify.

You’ve been listening to Into the Breach, an IBM Production. This episode was produced by Zach Ortega and Clara Shannon. Our music was composed by Jordain Wallace with audio production by Kieron Banerji. Thanks for venturing Into the Breach.

Mitch Mayne
Public Information Officer, IBM Security X-Force

Mitch is the Public Information Officer (PIO) for IBM Security X-Force. Mitch is a well-known voice in the cybersecurity realm, and the author of several tho...
read more

Your browser doesn’t support HTML5 audio
Press play to continue listening
00:00 00:00