By Zeba Siddiqui and Raphael Satter
SAN FRANCISCO/WASHINGTON (Reuters) – About a year ago, the U.S. security firm Palo Alto Networks began to hear from a flurry of companies that had been hacked in ways that weren’t the norm for cybercriminals.
Native English-speaking hackers would call up a target company’s information technology helpdesk posing as an employee, and seek login details by pretending to have lost theirs. They had all the employee information needed to sound convincing. And once they got access, they’d quickly find their way into the company’s most sensitive repositories to steal that data for extortion.
Ransomware attacks are not new, but this group was extraordinarily skilled at social engineering and bypassing multi-factor authentication, said Wendi Whitmore, senior vice president for the security firm Palo Alto Networks’ Unit 42 threat intelligence team, which has responded to several intrusions tied to the group.
“They are much more sophisticated than many cybercriminal actors. They appear to be disciplined and organized in their attacks,” she said. “And that’s something we typically see more frequently with nation-state actors, versus cyber criminals.”
Known in the security industry variously as Scattered Spider, Muddled Libra, and UNC3944, these hackers were thrust into the limelight earlier this month for breaching the systems of two of the world’s largest gambling companies – MGM Resorts and Caesars Entertainment Ltd.
Behind the scenes, it has hit many more companies, according to analysts tracking the intrusions – and cybersecurity specialists expect the attacks to continue.
The FBI is investigating the MGM and Caesars breaches, and the companies did not comment on who may be behind them.
From Canada to Japan, the security firm CrowdStrike has tracked 52 attacks globally by the group since March 2022, most of them in the United States, said Adam Meyers, senior vice president of threat intelligence at the company. Google-owned intelligence firm Mandiant, has logged more than 100 intrusions by it in the last two years.
Nearly every industry, from telecommunications to finance, hospitality, and media, has been hit. Reuters was not able to determine how much money the hackers may have extorted.
But it’s not just the scale or the breadth of attacks that make this group stand out. They’re extremely good at what they do and “ruthless” in their interactions with victims, said Kevin Mandia, Mandiant’s founder.
The speed at which they breach and exfiltrate data from company systems can overwhelm security response teams, and they have left threatening notes for staff of victim organizations on their systems, and contacted them by text and email in the past, Mandiant found.
In some cases – Mandia did not say which ones – hackers tied to Scattered Spider placed bogus emergency calls to summon heavily armed police units to the homes of executives of targeted companies.
The technique, called SWATing, “is something that’s utterly dreadful to live through as a victim,” he said. “I don’t even think these intrusions are about money. I think they’re about power, influence and notoriety. That makes it harder to respond to.”
Reuters couldn’t immediately reach the hacking group for comment.
17-22 YEAR OLDS
There’s little detail on Scattered Spider’s location or identity. Based on the criminals’ chats with victims and clues gleaned from breach investigations, CrowdStrike’s Meyers said they are largely 17-22 years-olds. Mandiant estimates they’re mainly from Western countries, but it’s unclear how many people are involved.
Before calling helpdesks, the hackers acquire employee information including passwords by social engineering, especially ‘SIM swapping’ – a technique where they trick a telecom company’s customer service representative to reassign a specific phone number from one device to another, analysts say.
They also appear to make the effort to study how large organizations work, including their vendors and contractors, to find individuals with privileged access they can target, according to analysts.
That’s something David Bradbury, chief security officer of the identity management firm Okta, saw first-hand last month, when he discovered multiple Okta customers – including MGM – breached by Scattered Spider. Okta provides identity services such as multi-factor authentication used to help users securely access online applications and websites.
“The threat actors have clearly taken our courses that we provide online, they’ve clearly studied our product and how it works,” Bradbury said. “This is stuff we haven’t seen before.”
A larger group named ALPHV said last week it was behind the MGM hack, and analysts believe it provided the software and attack tools for the operation to be carried out by Scattered Spider.
Such collaborations are typical for cybercriminals, said Okta’s Bradbury. ALPHV, which according to Mandiant is a “ransomware-as-a-service”, would provide services such as a helpdesk, webpage and branding, and in turn get a cut of whatever Scattered Spider would make from the hack.
While many ransomware attacks go unpublicised, the MGM hack was a vivid example of the real-world impact of such incidents. It caused chaos in Las Vegas, as gaming machines stalled and hotel systems were disrupted.
Ransomware gangs often function like large organizations, and continue to evolve their methods to adapt to the latest security measures organizations use.
“In some ways this is just like the age-old game of cat and mouse,” said Whitmore, who compared Scattered Spider to Lapsus$, another group behind previous hacks into Okta and the technology giant Microsoft. The British police last year arrested seven people between the ages of 16 and 21 following those hacks.
(Reporting by Zeba Siddiqui in San Francisco and Raphael Satter in New York; Editing by Chris Sanders and Claudia Parsons)