The Emergence of a Criminal Hacker Group
With the emergence of an audacious group of young criminal hackers from the US, UK, and Canada, the FBI calls Scattered Spider more troubling. They have teamed up with Russia’s most notorious ransomware gang.
Ransomware Attack on MGM Resorts
This past September, one of the most pernicious ransomware attacks in history was unleashed on MGM Resorts, costing the hotel and casino giant more than 100 million. It disrupted operations at a dozen of the most renowned gaming palaces on the Las Vegas Strip including MGM Grand, Aria, Mandalay Bay, New York, New York, and the Bellagio.
Impact on Las Vegas
Anthony Curtis, a Las Vegas fixture known for his skill in counting cards, was at an MGM property when the attack occurred. He described the chaos that ensued as thousands of slot machines suddenly stopped paying out, causing confusion and frustration among gamblers.
Elevators malfunctioned, parking gates froze, digital door keys stopped working, and computer systems went down. Reservations were locked up, and long lines formed at front desks as the cyberattack affected various aspects of the operation.
Corporate Chaos
Anything that required technology was not working sounds like chaos. Nobody knew what to do and including the employees. The employees just had to beg forgiveness and patience. It’s corporate terrorism at its finest.
Devastating Disruptions
The company declined our interview request, but at a conference a month after the hack MGM CEO admitted, the disruptions were devastating for the next four or five days with 36,000 hotel rooms and some Regional properties. They were completely in the dark.
Hackers’ Demands
The hackers demanded 3 million to unlock MGM’s data, the company refused, but they still paid a price 100 million dollars in Lost revenue and millions more to rebuild their servers.
Social Engineering Tactics
So how did The Intruders get in through a technique of deception and manipulation called social engineering? First, hackers zeroed in on an employee gathering information from the dark web and open sources like LinkedIn. Next, a smooth-talking hacker impersonating the employee called the MGM Tech help desk and convinced them to reset his password. With that, the hacker was inside MGM’s computers and unleashed the destructive malware. Anthony Curtis says it was the Cyber criminals’ version of an Ocean’s 11 heist. They’re doing it the new way, but with the old-fashioned goal – they want to get the money.
Hackers’ Cunning Skills
What do you make of that? I don’t want to be too glowing like I’m, like I like these guys because they’re just crooks, right? But these hackers were able to turn the tables.
The Rise of Cyberattacks in the Casino Industry
The casinos have their systems, their protections, and their experts. Despite this, they have faced a new wave of cyberattacks that have left them vulnerable. One of the most notable attacks targeted MGM’s biggest competitor, Caesars. This incident led to Caesars admitting they also suffered a social engineering attack, suspected to be orchestrated by the same group.
The Ransom Dilemma
In the face of cyberattacks, companies are often faced with the difficult decision of whether to pay a ransom or not. Caesars chose to pay a reported $15 million ransom, which ultimately resulted in no disruptions from an FBI perspective. While the FBI recommends against paying ransoms, they recognize that it can be a strategic business decision during a crisis.
The Growing Threat of Ransomware Attacks
Brian Vren, head of the FBI Cyber Division, emphasized that ransomware attacks have become increasingly brazen. These attacks pose a threat not only to the global economy but also to the security of the United States. With estimated global losses exceeding $1 billion per year, it is clear that ransomware attacks are a significant challenge.
The Prime Suspect: Scattered Spider
While the FBI did not disclose specific details about the Las Vegas cases, they did point towards a prime suspect – Scattered Spider. This criminal group, predominantly composed of native English-speaking hackers, has been linked to the casino hacks and numerous other attacks. Their expertise lies in social engineering, and their fluency in Western culture gives them an edge in executing successful cyberattacks.
The Rise of the Comm
Alison Nixon, Chief Research Officer at Unit 221B, a cyber security firm specializing in English-speaking cyber criminals, sheds light on a growing trend in the world of cybercrime. She mentions a group called Scattered Spider, which is just one of the many illicit hacking groups that make up a larger network known as the Comm.
A New Subculture
The Comm is described as an English-speaking youth subculture that has emerged in recent years. Despite being relatively new, its impact is significant. Members of the Comm have successfully hacked into major companies such as Microsoft, Nvidia, and Electronic Arts.
The Growing Population
Nixon notes that the number of people involved in these cybercrime groups has seen a drastic increase in recent years. What was once a few hundred individuals has now grown to include thousands of participants. The influx of money into these groups has fueled this rapid expansion.
Online Connections
Members of the Comm primarily connect with each other through the internet and social spaces such as gaming servers. These online environments serve as the equivalent of back alleys where illicit activities take place, but in a digital format.
Youthful Criminals
The age range of individuals involved in the Comm is primarily males under the age of 25, with some participants as young as 13 or 14. Despite their youth, these individuals are engaging in major cybercrimes and boasting about their exploits on messaging apps like Telegram.
Glorification of Crime
Nixon highlights the toxic nature of the online spaces where young people socialize with criminals and gang members. This environment has given rise to a subculture that glamorizes criminal activities and measures one’s worth based on the harm they can cause.
Scattered Spider
Within the Comm, Scattered Spider is recognized as one of the most sophisticated offshoots. Their operations are intricate and pose a significant threat to cybersecurity. By teaming up with Russian hackers, these young English-speaking cybercriminals have become a formidable force in the world of cyberattacks.
Criminal Partnership
Their criminal exploits caught the attention of cyber security companies and other hackers, including the most notorious Russian ransomware gang Black Cat. They saw the young Native English-speaking Westerners as a force multiplier and both claimed credit for the MGM attack.
Historical Context
Historically speaking, Russian cybercriminals did not like working with Western cybercriminals. There was not only a language barrier, but they also looked down on them and viewed them as unprofessional.
Partners in Crime
The Russian and Western hackers met in the shadowy corners of the dark web and are now powerful partners in crime. Scattered Spider uses its English and social engineering skills to break into Western company networks, while Black Cat provides its experience and malware for ransomware attacks.
Notable Attacks
Black Cat was involved in some of the most shocking ransomware attacks, including the 2021 attack on Colonial Pipeline that caused gas shortages along the east coast, and this year’s attack on United Health Group, disrupting pharmacies nationwide.
State Department Action
The State Department is offering a $15 million reward for information on Russia’s Black Cat, indicating the severity and impact of their cyberattacks.
Ransomware as a Service
John Daggio, a former analyst at the National Security Agency, now investigates ransomware as the Chief Security Strategist for the cybersecurity company Analyst One. He explains how the term “ransomware as a service” has taken cybercrime to a new level, with established Russian gangs like Black Cat offering their services, malware, experience, negotiating ransoms, and laundering money to what they call affiliates like Scattered Spider.
Russian Cyber Criminal Organizations
When a victim pays an extortion, the profit is now shared amongst those criminals. The most successful Russian gangs are run like legitimate companies with easy-to-navigate online platforms, 24-hour service, desks, and even human resources to hire software developers. There are people that specialize in developing malware and ransomware, and they’re in very high demand.
The Demographics of Cyber Criminals
You said you’ve gotten to know some of these people, are they mostly young men? The leadership are people in their 40s or late 30s. They are individuals with experience and a financial background.
Russian Government Involvement
Dmitri Alperovitch says the Russian government provides a safe haven for ransomware gangs as long as they don’t target organizations within Russia or former Soviet states. It’s not considered a crime to attack American businesses, which is one of the reasons why Russian ransomware has become such a threat.
The Response from the National Security Agency
The elite cyber warriors at the National Security Agency have joined the fight against cyber threats, such as the colonial pipeline attack. Rob Joyce, the former NSA Director of Cyber Security, highlighted that the attack was a wakeup call and prompted the agency to allocate more resources to combat foreign threats.
The NSA’s Role in Identifying Russian Hackers
A hacker that’s, the value NSA can bring is we can identify people specific people involved in some of these activities? The NSA helped identify the Russian hacker responsible for the colonial pipeline attack and in January 2022, after months of negotiations, Russia arrested him and other accomplice, but 5 weeks later it all came undone following the Ukraine Invasion. Those people were let out of jail.
Team up with Young Native English Speakers
So they’re back in business, yes, sir, and now they’ve teamed up with the young native English speakers of Scattered Spider, the FBI’s Brian Vren calls it an evolution of cybercrime. So in the case of Scattered F, is it powerful that they are with black hat?
The Arrest of Noah Urban
Of course, I think that it’s important to know that we are against a very capable set of adversaries. They’re very good at their work. We’re also very good at our work. In January, the bureau arrested a 19-year-old from Florida, Noah Urban charged with stealing cryptocurrency. He’s pleaded not guilty. Cyber investigators have tied him to Scattered Spider, but so far, not to the casino heists.
Hiding in Plain Sight
The Scattered Spider hackers who did pull off the attack are still online, hiding in plain sight in an unholy alliance with Russians. Allison Nixon calls Las Vegas a Harbinger.