FBI Difficulties In Combating Aggressive Cyber Groups That Investigate American Corporations

Kasino MGM Resorts International (photo: twitter @MGMGrand)

JAKARTA - The United States (FBI) Federal Investigation Agency is reportedly struggling to stop a very aggressive cyber crime group and has been troubling the American corporate world for the past two years. This was revealed by nine cybersecurity respondents, digital crime experts, and victims.

For more than six months, the FBI has known the identities of at least twelve members linked to the hacker group responsible for the malicious hack in September at the MGM Resorts International and Caesars Entertainment casino operators, according to four people familiar with the investigation.

Industry executives have told the media they are confused by the lack of arrests despite many of the American-based hackers.

"I want someone to explain it to me," said Michael Sentonas, President of CrowdStrice, one of the companies leading the response to the hack.

Part of American cybersecurity groups, such as CrowdStrice, Alphabet's Mandiant, Palo Alto Networks, and Microsoft, are responding to private hacks by hackers. Some of them have gathered evidence leading to hacker identities and assisted law enforcement.

Sources said that after the casino hack in September, the FBI's investigation became more urgent. The FBI first began investigating hacker operations more than a year ago.

Although the FBI stated that it was investigating the hacking of gaming companies, an FBI spokesman declined to comment on the larger group being responsible or the position of the investigation.

Called by several security professionals as "Scattered Spider," the hacking group has been active since 2021 but has caught the eye after a series of intrusions at several leading American companies.

MGM hacking disrupted its casino and hotel operations for several days and cost around $100 million, according to regulatory reports last month. Caesars paid about $115 million in ransom to regain access to his system from hackers, according to a Wall Street Journal report.

CrowdStrike, Mandiant, Palo Alto Networks, and Microsoft are some of America's cybersecurity companies responding to the hack by the group. Some have gathered evidence leading to hacker identities and assisted law enforcement, according to five inside sources.

Sources said that, after the September casino hack, the FBI's investigation became more urgent. FBI officers first began to see hacker operations more than a year ago.

Security analysts who tracked down the hack found various victims in almost every industry, from telecommunications and outsourced companies to healthcare and financial services companies.

In total, about 230 organizations have been victims since the start of last year, according to Baltimore-based cybersecurity firm Maryland, ZeroFox, which has helped Caesars deal with its impact.

ZeroFox CEO James Foster has attributed a slow response from law enforcement due to a lack of manpower. Several press reports over the past few years have shown that the FBI has lost many of its best cyber agents to the private sector offering higher salaries.

"Law enforcement, especially at the federal level, has all the tools and resources they need to successfully pursue cybercriminals," Foster said. "They just don't have enough people."

Another challenge is the reluctance of many victims to cooperate with the FBI. One of the sources, an executive involved in the defense against hackers, who declined to be named for client confidentiality, said "some" of the victim's companies did not notify the FBI that they were affected - meaning prosecutors missed the opportunity to obtain evidence that might be important.

"It's not strange to hide an intrusion like this," said a former FBI official who did not want to be named and previously worked on a ransomware investigation.

"The challenge is that nine out of ten companies don't want to work together," the former official was quoted as saying by VOI from Reuters.

Another challenge is the lax nature of this group, which consists of small groups of individuals working together in certain jobs. The fuzzy group structure helps get the nickname "Scattered" and other nicknames, "Muddled Libra," among researchers.

For example, the group behind the casino hack called themselves "Star Fraud," according to two analysts. They are part of a larger hacker group consisting of most young hackers using the name "The Com" as the slang language for their community.

Most of these group members are based in Western countries, including the United States. They usually discuss hacking projects on chat channels on social messaging apps, especially Telegram and Discord, which are popular among gamers.

A Telegram spokesperson did not respond to requests for comment on hackers. Discord spokeswoman declined to comment on them, but said the platform prohibited illegal activities and took steps including banning or closing groups or users involved in these practices.

Historically, this group's unclear form makes it difficult for the FBI to coordinate internally in many field offices across the country. For months, many field offices independently investigated individual hacking carried out by the same group but were not immediately aware of its linkage, which slowed the process.

Recently, the FBI field officebully, New Jersey, has been working on an investigation into this hacking group and is making progress, according to three people familiar with the matter. They added that a new special agent had been assigned to the case.

In recent months, worrying details of The Com's aggressive tactics have emerged to the public. Its members are involved in various illegal schemes, ranging from sextortion and ransomware to phone-based fraud and paying people for physical violence - also known as 'virolence-as-a-service.'

In a report published by Microsoft last month, tech companies cited hackers linked to Scattered Spider threatening to kill employees of the victim's organization unless they gave a password.

"If we don't get your login within the next 20 minutes, we will send the shooter to your home," reads one message. Another message follows, saying: "Your wife will be shot if you don't hand it over."

Reuters' attempt to contact hackers for this story was unsuccessful.

"I think they are pathological ones," said Kevin Mandia, founder of Mandiant, in an interview in September. "We've seen how they interact with the victim's company. They're relentless."

Mandian did not respond directly when asked if the identity of Scattered Spider was known by law enforcement. But he said there was no reason not to arrest hackers operating from Western countries.

"If they are in a democratic country in collaboration with the international community, you should arrest them," he said.