Scattered Spider Hackers Group, Working With Sophisticated, Organized And Disciplined
JAKARTA - Last year, the United States security company, Palo Alto Networks, began to hear that a number of companies had been infiltrated by an unusual way by computer hackers.
The original English-speaking hackers will contact the target company's information technology aid center, disguise themselves as employees, and look for login details by pretending to lose their access.
They have all the employee information needed to sound convincing. Once they get access, they will quickly find a way into the company's most sensitive repository to steal the data for ransom.
"Ransomware attacks are nothing new, but the group is very skilled in social engineering and bypasses multi-factor authentication," said Wendi Badminton, senior vice president of the Unit 42 threat intelligence team of security firm Palo Alto Networks, which has responded to several attacks linked to the group.
"They are far more sophisticated than many other cybercriminals. They appear disciplined and organized in their attacks," he said. "And this is something we usually see more often with state actors, compared to cybercriminals."
Known in the security industry with various names such as Scattered Spider, Muded Libra, and UNC3944, the hacker is reported to have stolen data on major companies such as MGM Resorts and Caesars Entertainment.
Behind the scenes, a number of other companies were also victims of their attacks, according to analysts who tracked the intrusion. Authorities are aware that this attack will continue.
The FBI is investigating the MGM and Caesars hacks, and the two companies have not commented on who was behind the attack.
From Canada to Japan, security firm CrowdStrike has been tracking 52 attacks worldwide by the group since March 2022, mostly in the United States. Google-owned Intelligence firm Mandiant has recorded more than 100 intrusions by the group in the past two years.
Almost every industry, from telecommunications to finance, hospitality and media, has fallen victim. Reuters could not even determine the extent of the money hackers had earned through ransom.
However, what distinguishes this group is not only the scale or coverage of its attacks. "They are very skilled at what they do and are very "cruel" in interaction with the victim," said Kevin Mandia, founder of Mandiant.
Their speed as they penetrate and retrieve data from the company's system could stop the security response team, and they also leave threatening records for victims' organization staff on their systems, and contact them via text and email messages.
In some cases, hackers linked to Scattered Spider have made fake calls to summon armed police units to the homes of target company executives.
"This technique, referred to as happeneding, is something very terrible when faced as a victim," said Mandia. "I don't even think that this intrusion is just about money. I think it's about power, influence, and fame. This makes it harder to respond."
No details are available regarding the location or identity of Scattered Spider. Based on hacking conversations with the victim and clues obtained from an intrusion investigation, Adam Meyers of CrowdStricte said they were mostly 17-22 years old.
Mandiant estimates that they mostly come from Western countries, but it's unclear how many people were involved.
Before contacting the aid center, hackers gathered employee information, including passwords, with social techniques, especially 'SIM swapping' - a technique in which they tricked a telecommunications company customer service representative to transfer certain phone numbers from one device to another, analysts said.
They also seem to be trying to understand how large organizations work, including vendors and their contractors, to find individuals with the special access they can target, according to analysts.
This is something David Bradbury, head of security officials of Okta's identity management company, saw as he discovered several Okta customers - including MGM - compromised by Scattered Spider last month. Okta provides identity services such as multi-factor authentication used to help users access apps and websites securely.
"The threat actors have clearly taken the courses we provide online, they are clearly studying our products and how they work," said Bradbury. "This is something we've never seen before."
SEE ALSO:
A larger group known as ALPHV claimed last week that they were the perpetrators behind the MGM hack, and analysts believe they provide the software and attack tools to be carried out by Scattered Spider.
"This kind of collaboration is common to cybercriminals," said Bradbury of Okta. ALPHV, which according to Mandiant is a "ransomware-as-a-service", will provide services such as a help center, web page, and brand, and will instead get a share of what Scattered Spider will get from the hack.
While many ransomware attacks are not known to the public, MGM hacking is a real example of the real world impact of this kind of attack. This caused chaos in Las Vegas, with gambling machines off and the hotel system disrupted.
Ransomware hacker groups often operate such as large organizations and continue to develop their method of adapting to the latest security measures used by organizations.
"In a number of ways, it's like an ancient cat and mouse game," mitigating him, who compared Scattered Spider to Lapsus$, another group that hacked Okta and the giant tech company Microsoft. Last year British police arrested seven people between 16 and 21 years after the hack.