Comment by Shank
19 hours ago
> And with this much at stake, they can afford to simply buy your software dependencies, or to offer one of your employees some retirement money in exchange for making a "mistake".
LAPSUS$ was prolific by just bribing employees with admin access. This is far from theoretical. Just imagine the kind of money your average nation state has laying around to bribe someone with internal access.
I started to write a comment about how low they probably were able to bribe people for but found this article [0] which put the number higher than I expected:
> One of the core LAPSUS$ members who used the nicknames “Oklaqq” and “WhiteDoxbin” posted recruitment messages to Reddit last year, offering employees at AT&T, T-Mobile and Verizon up to $20,000 a week to perform “inside jobs.”
That said, this is but one instance and I'd imagine that on the whole they are able to bribe people at much lower numbers. See also: how little it takes to bribe some government officials.
[0] https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lap...
The cost for access can be surprisingly low. Not all that many years ago it was pretty cheap to pay an editor at wiki or DMOZ or any of a few dozen other 'trusted sources' on the internet to get something added, or removed. I stopped traveling in those circles a long time ago, but I know that they are still very active and the cost is still surprisingly low.
While not code level access, these sorts of things are far more common than anyone wants to admit to.
If they were looking to access government back doors at these providers then it would not be your usual hack - and worth a lot more. I have no idea if this is how an entire domestic surveillance network got strung up, but it would make sense at those numbers (though those numbers still seem very low for such a betrayal and potential consequences)
I'm thinking those prices are just for large sets of phone number ports/clones to get past 2fa on valuable accounts.
And because it is surprisingly difficult to distinguish between 'oops' and 'malice' a lot of the actual perps get away with it too, as long as they limit their involvement. In-house threats are an under appreciated - and somewhat uncomfortable - topic for many companies, they don't have the funds to do things by the book but they do have outsized responsibilities and pray that they can trust their employees.
Also hard to track when the offending employee is a contractor or simply exits stage left to another company. Where he could also offer up his services to make another "blunder" that would grant access to these groups.
Another framing would be we will release your mother if you plant this backdoor. Could be a good plot for a short story? This attack vector has been available to Nation States since ages ago, stealing blueprints etc. Why are we acting surprised that this could be applied more effectively in digital age?
But on the other hand, adding LLM with strong guards (not yet here but doable for popular attack vectors) into the human loop can drastically eliminate insider factor, imho.
No, it just replaces one vector with another.
> they can afford to simply buy your software dependencies, or to offer one of your employees some retirement money in exchange for making a "mistake".
Orthogonal, but in similar spirits: the FAANG part of big tech paying less, doing massive layoffs, and putting enormous pressure on their remaining engineers might have this effect too in a less directly malicious way.
Big tech does layoffs, asks engineers to do "more". This creates a lot of mess, tech debt, difficult to maintain or SRE services. Difficult to migrate and undo, difficult to be nimble.
These same engineers can then leave for startups or more nimble pastures and eat the cake of the large enterprise struggling to KTLO or steer the ship of the given product area.
Keep in mind, the billionaires seem to think they can crash all this into the ground, and some how survive by buying their own miltaries.
The scale of how society works is lost on the greedy