A few 12 months ago, the US security firm Palo Alto Networks began to listen to from a flurry of firms that had been hacked in ways in which weren’t the norm for cybercriminals.
Native English-speaking hackers would call up a goal company’s information technology helpdesk posing as an worker, and seek login details by pretending to have lost theirs.
That they had all the worker information needed to sound convincing.
And once they got access, they’d quickly find their way into the corporate’s most sensitive repositories to steal that data for extortion.
Ransomware attacks aren’t latest, but this group was extraordinarily expert at social engineering and bypassing multi-factor authentication, said Wendi Whitmore, senior vice chairman for the safety firm Palo Alto Networks’ Unit 42 threat intelligence team, which has responded to several intrusions tied to the group.
“They’re way more sophisticated than many cybercriminal actors. They look like disciplined and arranged of their attacks,” she said. “And that’s something we typically see more continuously with nation-state actors, versus cyber criminals.”
Known in the safety industry variously as Scattered Spider, Muddled Libra, and UNC3944, these hackers were thrust into the limelight earlier this month for breaching the systems of two of the world’s largest gambling firms — MGM Resorts and Caesars Entertainment.
Behind the scenes, it has hit many more firms, in line with analysts tracking the intrusions – and cybersecurity specialists expect the attacks to proceed.
The FBI is investigating the MGM and Caesars breaches, and the businesses didn’t comment on who could also be behind them.
From Canada to Japan, the safety firm CrowdStrike has tracked 52 attacks globally by the group since March 2022, most of them in the USA, said Adam Meyers, senior vice chairman of threat intelligence at the corporate.
Google-owned intelligence firm Mandiant, has logged greater than 100 intrusions by it within the last two years.
Nearly every industry, from telecommunications to finance, hospitality, and media, has been hit.
Reuters was not in a position to determine how much money the hackers could have extorted.
However it’s not only the dimensions or the breadth of attacks that make this group stand out.
They’re extremely good at what they do and “ruthless” of their interactions with victims, said Kevin Mandia, Mandiant’s founder.
The speed at which they breach and exfiltrate data from company systems can overwhelm security response teams, and so they have left threatening notes for workers of victim organizations on their systems, and contacted them by text and email previously, Mandiant found.
In some cases — Mandia didn’t say which of them — hackers tied to Scattered Spider placed bogus emergency calls to summon heavily armed police units to the homes of executives of targeted firms.
The technique, called SWATing, “is something that’s utterly dreadful to pass though as a victim,” he said. “I don’t even think these intrusions are about money. I feel they’re about power, influence and notoriety. That makes it harder to reply to.”
Reuters couldn’t immediately reach the hacking group for comment.
17-22 12 months olds
There’s little detail on Scattered Spider’s location or identity.
Based on the criminals’ chats with victims and clues gleaned from breach investigations, CrowdStrike’s Meyers said they’re largely 17-22 years-olds.
Mandiant estimates they’re mainly from Western countries, however it’s unclear what number of persons are involved.
Before calling helpdesks, the hackers acquire worker information including passwords by social engineering, especially ‘SIM swapping’ — a method where they trick a telecom company’s customer support representative to reassign a particular phone number from one device to a different, analysts say.
In addition they appear to make an effort to review how large organizations work, including their vendors and contractors, to seek out individuals with privileged access they’ll goal, in line with analysts.
That’s something David Bradbury, chief security officer of the identity management firm Okta, saw first-hand last month, when he discovered multiple Okta customers — including MGM — breached by Scattered Spider.
Okta provides identity services resembling multi-factor authentication used to assist users securely access online applications and web sites.
“The threat actors have clearly taken our courses that we offer online, they’ve clearly studied our product and the way it really works,” Bradbury said. “That is stuff we haven’t seen before.”
A bigger group named ALPHV said last week it was behind the MGM hack, and analysts imagine it provided the software and attack tools for the operation to be carried out by Scattered Spider.
Such collaborations are typical for cybercriminals, said Okta’s Bradbury. ALPHV, which in line with Mandiant is a “ransomware-as-a-service,” would supply services resembling a helpdesk, webpage and branding, and in turn get a cut of whatever Scattered Spider would make from the hack.
While many ransomware attacks go unpublicized, the MGM hack was a vivid example of the real-world impact of such incidents.
It caused chaos in Las Vegas, as gaming machines stalled and hotel systems were disrupted.
Ransomware gangs often function like large organizations, and proceed to evolve their methods to adapt to the most recent security measures organizations use.
“In some ways that is similar to the age-old game of cat and mouse,” said Whitmore, who compared Scattered Spider to Lapsus$, one other group behind previous hacks into Okta and the technology giant Microsoft.
The British police last 12 months arrested seven people between the ages of 16 and 21 following those hacks.
