Menace intelligence analysts, incident responders, and federal regulation enforcement alike all appear to know all in regards to the menace group with an array of monikers — The Com, Scattered Spider, Muddled Libra, UNC3944, Starfraud, and Octo Tempest, amongst others. So why is the group (which was behind the MGM Resorts and Caesars Leisure hacks) nonetheless efficiently attacking US organizations with impunity, with no disruptions thus far?
This week, experiences confirmed that federal regulation enforcement is nicely conscious of the identities of the cybercrime group, which is made up of native English audio system, but has not been in a position to make any arrests. In actual fact, sources confirmed to Reuters that regulation enforcement has identified the identities of the Scattered Spider hacking collective for greater than six months.
Cybersecurity menace hunters like CrowdStrike’s president Michael Sentonas struck a decidedly baffled tone, noting that the truth that the ransomware group continues to be operational and inflicting “havoc” is a “failure of “regulation enforcement.”
FBI Advisory on Scattered Spider
The feds did supply some response: On Nov. 16, the FBI and CISA launched an advisory on Scattered Spider, offering indicators of compromise (IoCs) and extra particulars to arm enterprise safety groups with particulars to defend their networks.
“FBI and CISA advocate organizations implement the mitigations beneath to enhance your group’s cybersecurity posture based mostly on the menace actor exercise and to cut back the danger of compromise by Scattered Spider menace actors,” the advisory stated. It included an inventory of suggestions, together with utility controls, distant entry instrument auditing, and implementing FIDO/WebAuthn authentication or public key infrastructure (PKI)-based multifactor authentication (MFA).
Whereas useful, if there’s a lot details about the group’s cybercrimes, it would not reply why members of the ransomware group have not merely been arrested, or on the very least, their operation disrupted, some notice.
Hackers Getting Extra Aggressive With Threats of Violence
Like most issues sitting on the intersection of company America and regulation enforcement, lots of the particulars stay protected in secrecy. Nonetheless, the consequences of the group working rampant by way of public firm networks like MGM Resorts are well-known.
“UNC3944 is without doubt one of the most prevalent and aggressive menace actors impacting organizations in america at the moment,” says Charles Carmakal, Mandiant Consulting CTO at Google Cloud. “They’re extremely disruptive.”
And the group seems to be committing cybercrimes with impunity on a regular basis, even branching out into threats of bodily violence. Microsoft researchers defined of their evaluation of the group, which they name Octo Tempest, that it makes use of concern for private security to stress victims into paying.
“In uncommon situations, Octo Tempest resorts to fear-mongering techniques, concentrating on particular people by way of cellphone calls and texts,” Microsoft’s Incident Response and Menace Intelligence groups stated of their report. “These actors use private data, equivalent to residence addresses and household names, together with bodily threats to coerce victims into sharing credentials for company entry.”
Mountains of Knowledge on Scattered Spider
The sheer quantity of particulars revealed by analysts in regards to the group is dizzying. Scattered Spider was first flagged again in 2022 when it will leverage the Oktapus phishing equipment to steal credentials. The group efficiently dallied in SIM swaps however appears to have hit its stride in mid-2023, when it turned an affiliate of the ransomware-as-a-service supplier BlackCat, aka Alphv.
Steadily ramping up their abilities, the group’s members ultimately added a intelligent new social engineering angle: calling into assist desks to reset credentials and take over verified accounts as an preliminary foothold into goal environments. That is the gambit the Scattered Spider crew finally used to compromise MGM Resorts and hobble Las Vegas Strip operations for greater than every week, working up losses within the lots of of hundreds of thousands of {dollars} for MGM Resorts alone. The group concurrently breached Caesars and shortly negotiated a $15 million ransom cost.
Mandiant’s Carmakal says that the group ought to see extra scrutiny within the wake of these two incidents: “They’ve not too long ago gained lots of consideration due to their current concentrating on of hospitality and leisure organizations.”
Regulation Enforcement Grapples With Cybercrime
Federal authorities aren’t sharing any particulars of the investigation into Scattered Spider, however cybersecurity business insiders suspect conventional regulation enforcement entities just like the FBI are having a tough time adapting to chasing cybercriminals.
“Regulation enforcement is extra accustomed to working teams with extra construction and group, and are combating the return of extra chaotic and loosely coupled menace actors,” Bugcrowd founder Casey Ellis says.
In actual fact, the FBI’s lack of ability to disrupt hacking teams like Scattered Spider could possibly be a problem for a while to come back, in keeping with Callie Guenther, senior supervisor at Vital Begin.
“The FBI’s wrestle to comprise this group additionally highlights the broader challenges confronted by regulation enforcement within the digital age,” Guenther says. “The case of ‘Scattered Spider’ is indicative of a brand new period of cyber threats the place legal teams make use of aggressive techniques, together with threats of bodily violence. This escalation in legal methods requires an equally strong and modern response from regulation enforcement and cybersecurity consultants.”
For now, it seems it is as much as particular person enterprise groups to cease Scattered Spider from hobbling their networks. Within the meantime, the cybersecurity group will proceed to gather particulars on their exploits and look forward to arrests.
