Washington/San Francisco:
About a year ago, US security firm Palo Alto Networks heard about companies that were hacked in ways that were not typical for cyber criminals.
Native English-speaking hackers will call the information technology helpdesk of a target company, posing as an employee, and ask for login details, pretending to be lost. They had all the employee information needed to seem credible. And once they get access, they will find their way into the company’s most sensitive repositories to steal that data for extortion.
Ransomware attacks are nothing new, but this group was exceptionally adept at social engineering and bypassing multi-factor authentication, said Wendy Whitmore, senior vice president of the Unit 42 threat intelligence team at security firm Palo Alto Networks, which has handled several intrusions. Has responded to the group.
“They are far more sophisticated than many cybercriminal actors. They appear to be disciplined and organized in their attacks,” he said. “And this is something we typically see more often with nation-state actors versus cybercriminals.”
These hackers, known in the security industry as Scattered Spider, Muddled Libra and UNC3944, came into the limelight earlier this month For Violation The systems of the world’s two largest gambling companies – MGM Resorts and Caesars Entertainment Limited.
Behind the scenes, it has affected many more companies, according to analysts tracking the intrusion — and cybersecurity experts expect the attacks to continue.
The FBI is investigating the MGM and Caesars breaches, and the companies have not commented on who may be behind them.
From Canada to Japan, security firm CrowdStrike has tracked 52 attacks by the group globally since March 2022, most of them in the United States, said Adam Meyers, senior vice president of threat intelligence at the company. Google-owned intelligence firm Mandiant log in In the last two years he carried out more than 100 intrusions.
Almost every industry has been affected, from telecommunications to finance, hospitality and media. Reuters was not able to determine how much money the hackers may have removed.
But it is not just the scale or breadth of the attacks that makes this group different. They are very good at what they do and are “ruthless” in their interactions with victims, said Kevin Mandia, founder of Mandiant.
The speed at which they breach and exfiltrate data from company systems can overwhelm security response teams, and they have left threatening notes for employees of victimized organizations on their systems, and have contacted them by text and email in the past. Contacted, Mandiant found,
In some cases – Mandia did not disclose – hackers associated with Scattered Spider made fake emergency calls to summon heavily armed police units to the homes of executives at targeted companies.
“The technique called swatting is something that is extremely horrible to live through as a victim,” he said. “I don’t even think these infiltrations are about money. I think they’re about power, influence and notoriety. That makes it harder to respond.”
Reuters could not immediately reach the hacking group for comment.
17-22 year olds
There are very few details regarding the Scattered Spider’s location or identity. Based on leads from the perpetrators’ chats with victims and investigation of the breach, CrowdStrike’s Meyers said they are mostly 17-22 years old. Mandiant estimates they are mainly from Western countries, but it is unclear how many people this includes.
Analysts say that before calling the helpdesk, hackers gain access to employee information, including passwords, by social engineering, particularly ‘SIM swapping’ – a technique where they provide a specific phone number to a telecom company’s customer service representative. Cheats for reassigning a number from one device to another.
According to analysts, they also appear to be attempting to study how large organizations operate, including their vendors and contractors, to find individuals with privileged access who they can target.
It’s something that David Bradbury, chief security officer at identity management firm Okta, saw firsthand last month, when they discovered several Okta customers – including MGM – were breached by Scattered Spider. Okta provides identity services such as multi-factor authentication that is used to help users securely access online applications and websites.
“The threat actors have clearly taken our courses that we offer online, they have clearly studied our product and how it works,” Bradbury said. “This is something we haven’t seen before.”
A larger group called ALPHV said last week it was behind the MGM hack and analysts believe it provided software and attack tools for the operation carried out by Scattered Spiders.
Such collaborations are typical for cybercriminals, Okta’s Bradbury said. ALPHV, which is a “ransomware-as-a-service” according to Mandiant, will provide services such as a helpdesk, webpages, and branding, and in return Scatter will receive some of what it makes from the spider hack.
While many ransomware attacks go undetected, the MGM hack was a vivid example of the real-world impact of such incidents. it caused chaos in las vegasBecause gaming machines were down and hotel systems were disrupted.
Ransomware gangs often operate like large organizations, and continue to evolve their methods to adapt to the latest security measures used by organizations.
“In some ways it’s like the age-old game of cat and mouse,” said Whitmore, who compared Scatter Spiders to Lapsus$, another group behind previous hacks at Okta and technology giant Microsoft. British police last year Arrested Seven people between the ages of 16 and 21 are following those hacks.
