A few 12 months ago, the US security firm Palo Alto Networks began to listen to from a flurry of corporations that had been hacked in ways in which weren’t the norm for cybercriminals.
Native English-speaking hackers would call up a goal company’s information technology helpdesk posing as an worker, and seek login details by pretending to have lost theirs.
They’d all the worker information needed to sound convincing.
And once they got access, they’d quickly find their way into the corporate’s most sensitive repositories to steal that data for extortion.
Ransomware attacks will not be recent, but this group was extraordinarily expert at social engineering and bypassing multi-factor authentication, said Wendi Whitmore, senior vice chairman for the safety firm Palo Alto Networks’ Unit 42 threat intelligence team, which has responded to several intrusions tied to the group.
“They’re rather more sophisticated than many cybercriminal actors. They look like disciplined and arranged of their attacks,” she said. “And that’s something we typically see more incessantly with nation-state actors, versus cyber criminals.”
![MGM Grand](https://nypost.com/wp-content/uploads/sites/2/2023/09/NYPICHPDPICT000043806343.jpg?w=1024)
![An error message is displayed on a machine at MGM Grand in Las Vegas.](https://nypost.com/wp-content/uploads/sites/2/2023/09/NYPICHPDPICT000039641524.jpg?w=1024)
Known in the safety industry variously as Scattered Spider, Muddled Libra, and UNC3944, these hackers were thrust into the limelight earlier this month for breaching the systems of two of the world’s largest gambling corporations — MGM Resorts and Caesars Entertainment.
Behind the scenes, it has hit many more corporations, in line with analysts tracking the intrusions – and cybersecurity specialists expect the attacks to proceed.
The FBI is investigating the MGM and Caesars breaches, and the businesses didn’t comment on who could also be behind them.
From Canada to Japan, the safety firm CrowdStrike has tracked 52 attacks globally by the group since March 2022, most of them in america, said Adam Meyers, senior vice chairman of threat intelligence at the corporate.
Google-owned intelligence firm Mandiant, has logged greater than 100 intrusions by it within the last two years.
Nearly every industry, from telecommunications to finance, hospitality, and media, has been hit.
![Caesars Palace Las Vegas Hotel and Casino](https://nypost.com/wp-content/uploads/sites/2/2023/09/NYPICHPDPICT000043806348.jpg?w=1024)
Reuters was not in a position to determine how much money the hackers can have extorted.
Nevertheless it’s not only the size or the breadth of attacks that make this group stand out.
They’re extremely good at what they do and “ruthless” of their interactions with victims, said Kevin Mandia, Mandiant’s founder.
The speed at which they breach and exfiltrate data from company systems can overwhelm security response teams, and so they have left threatening notes for employees of victim organizations on their systems, and contacted them by text and email previously, Mandiant found.
In some cases — Mandia didn’t say which of them — hackers tied to Scattered Spider placed bogus emergency calls to summon heavily armed police units to the homes of executives of targeted corporations.
![A man holds a laptop computer as cyber code is projected on him in this illustration.](https://nypost.com/wp-content/uploads/sites/2/2023/09/NYPICHPDPICT000043806347-1.jpg?w=1024)
The technique, called SWATing, “is something that’s utterly dreadful to pass though as a victim,” he said. “I don’t even think these intrusions are about money. I feel they’re about power, influence and notoriety. That makes it harder to answer.”
Reuters couldn’t immediately reach the hacking group for comment.
17-22 12 months olds
There’s little detail on Scattered Spider’s location or identity.
Based on the criminals’ chats with victims and clues gleaned from breach investigations, CrowdStrike’s Meyers said they’re largely 17-22 years-olds.
Mandiant estimates they’re mainly from Western countries, nevertheless it’s unclear what number of individuals are involved.
Before calling helpdesks, the hackers acquire worker information including passwords by social engineering, especially ‘SIM swapping’ — a method where they trick a telecom company’s customer support representative to reassign a selected phone number from one device to a different, analysts say.
Additionally they appear to take the time to review how large organizations work, including their vendors and contractors, to seek out individuals with privileged access they’ll goal, in line with analysts.
That’s something David Bradbury, chief security officer of the identity management firm Okta, saw first-hand last month, when he discovered multiple Okta customers — including MGM — breached by Scattered Spider.
Okta provides identity services equivalent to multi-factor authentication used to assist users securely access online applications and web sites.
“The threat actors have clearly taken our courses that we offer online, they’ve clearly studied our product and the way it really works,” Bradbury said. “That is stuff we haven’t seen before.”
A bigger group named ALPHV said last week it was behind the MGM hack, and analysts imagine it provided the software and attack tools for the operation to be carried out by Scattered Spider.
Such collaborations are typical for cybercriminals, said Okta’s Bradbury. ALPHV, which in line with Mandiant is a “ransomware-as-a-service,” would offer services equivalent to a helpdesk, webpage and branding, and in turn get a cut of whatever Scattered Spider would make from the hack.
![A sign warns guests of difficulties with gambling machines.](https://nypost.com/wp-content/uploads/sites/2/2023/09/NYPICHPDPICT000039641365.jpg?w=1024)
While many ransomware attacks go unpublicized, the MGM hack was a vivid example of the real-world impact of such incidents.
It caused chaos in Las Vegas, as gaming machines stalled and hotel systems were disrupted.
Ransomware gangs often function like large organizations, and proceed to evolve their methods to adapt to the newest security measures organizations use.
“In some ways that is similar to the age-old game of cat and mouse,” said Whitmore, who compared Scattered Spider to Lapsus$, one other group behind previous hacks into Okta and the technology giant Microsoft.
The British police last 12 months arrested seven people between the ages of 16 and 21 following those hacks.