About a year ago, American security firm Palo Alto Networks began hearing reports of companies that had been hacked in ways that were not typical of cybercriminals.
Native English-speaking hackers will call a target company’s information technology help desk posing as an employee, and ask for login details, pretending to be lost. They had all the employee information they needed to convince. And once they get access, they quickly go into the company’s most sensitive stores and steal that data for extortion.
Ransomware attacks aren’t new, but the group was unusually adept at social engineering and bypassing multifactor authentication, said Wendy Whitmore, senior vice president of the threat intelligence team at security firm Palo Alto Networks’ Unit 42. said, which has responded to several interventions. to the group.
“They are much more sophisticated than many cybercriminal actors. They appear to be disciplined and organized in their attacks,” he said. “And that’s something we see more often with nation-state actors than with cybercriminals in general.”
Known variously in the security industry as Scattered Spider, Muddled Libra, and UNC3944, these hackers were thrust into the spotlight. Earlier this month of the Violation The systems of two of the world’s largest gambling companies – MGM Resorts and Caesars Entertainment Ltd.
Behind the scenes, it has targeted many more companies, according to analysts tracking the intrusions — and cybersecurity experts expect the attacks to continue.
The FBI is investigating the MGM and Caesars breaches, and the companies have not commented on who might be behind them.
From Canada to Japan, security firm CrowdStrike has tracked 52 attacks by the group globally since March 2022, most of them in the United States, said Adam Meyers, senior vice president of threat intelligence at the company. Google-owned intelligence firm Mandate login In the last two years, more than 100 interventions were made by him.
Almost every industry has been affected, from telecommunications to finance, hospitality and media. Reuters was not able to determine how much the hackers extorted.
But it’s not just the scale or breadth of attacks that make this group stand out. Mendiant founder Kevin Mandia said they are very good at what they do and are “ruthless” in their interactions with victims.
The speed with which they breach and extract data from company systems can overwhelm security response teams, and they have left threatening notes on their systems for staff at affected organizations, and in the past sent text and email messages. Have contacted them through mail, Mandiant found.
In some cases — Mandia did not say which ones — Scattered Spider-linked hackers made fake emergency calls to summon heavily armed police units to the homes of executives at targeted companies.
The technique, called SWATing, is “something that is absolutely terrifying to experience as a victim,” he said. “I don’t even think this intrusion is about money. I think it’s about power, influence and notoriety. That makes it difficult to respond.”
Reuters could not immediately reach the hacking group for comment.
People aged 17-22 years
There is little detail about the location or identity of the Scattered Spider. Based on the criminals’ interactions with victims and clues from breach investigations, CrowdStrike’s Meyers said they are mostly between the ages of 17-22. Mandante estimates they are mainly from Western countries, but it is unclear how many are involved.
Analysts say that before calling the help desk, hackers obtain employee information, including passwords, through social engineering, particularly ‘SIM swiping’ – a technique where they impersonate a telecom company’s customer service representative. Tricks into reassigning specific phone numbers from one device to another.
According to analysts, they also seem to be trying to study how large organizations operate, including their vendors and contractors, to find people they can target.
David Bradbury, chief security officer at identity management firm Okta, saw it first-hand last month, when it discovered several Okta customers — including MGM — had been breached by Scattered Spider. Okta provides identity services such as the use of multi-factor authentication to help users securely access online applications and websites.
“Risk actors have clearly taken our courses that we provide online, they’ve clearly studied our product and how it works,” Bradbury said. “This is something we haven’t seen before.”
A large group called ALPHV said last week that it was behind the MGM hack, and analysts believe it provided software and attack tools for the operation via Scattered Spider.
Okta’s Bradbury said such collaborations are common for cybercriminals. ALPHV, which is “ransomware-as-a-service” according to Mandiant, will provide services such as a help desk, web page and branding, and will in turn receive a portion of whatever Scattered Spider makes from the hack. will
While many ransomware attacks are inadvertent, the MGM hack was a clear example of the real-world impact of such incidents. For this reason Chaos in Las Vegasas the gaming machines stopped and the hotel system was disrupted.
Ransomware gangs often operate like large organizations, and continue to evolve their methods to adapt to the latest security measures used by organizations.
“In some ways it’s just like the old game of cat and mouse,” said Whitmore, who compared Scattered Spider to Lapsus$, another group behind previous hacks at Okta and technology giant Microsoft. British police last year… arrested Seven people between the ages of 16 and 21 are following these hacks.