Nickname | See § Names |
---|---|
Formation | c. May 2022 |
Type | Hacker group |
Purpose | Ransomware, cyberattacks |
Region | United States and United Kingdom |
Methods | Social engineering, Ransomware as a service, Password cracking |
Affiliations | ALPHV |
Scattered Spider, also referred to as UNC3944 among other names, [1] is a hacking group mostly made up of individuals aged 19 to 22 as of September 2023. The group, whose name was first tagged by cybersecurity researchers, gained notoriety for hacking Caesars Entertainment and MGM Resorts International, two of the largest casino and gambling companies in the United States. Scattered Spider is believed to be primarily made up of operatives based in both the United States and the United Kingdom. [2] [3] At least one juvenile from the United Kingdom has been connected to the group. [4]
The group's most common name as used in press releases and by journalists is Scattered Spider, though many other names have been attributed to the group. Star Fraud, Octo Tempest, Scatter Swine, and Muddled Libra have all been names used to refer to the group previously. [1] [5]
According to Allison Nixon of Unit 221B, a cybersecurity company, Scattered Spider is a component of a larger global hacking community, known as "the Community" or "the Com", itself having members who have hacked major American technology companies. [5]
Scattered Spider is believed to have been founded in May 2022, when the group was focused on attacks on telecommunications firms. The group utilized SIM swap scams, multi-factor authentication fatigue attacks, and phishing by SMS and Telegram. [1] The group typically exploited the security bug CVE-2015-2291, a cybersecurity issue in Windows' anti-DoS software, [6] to terminate security software, allowing the group to evade detection. The group is believed to have a deep understanding of Microsoft Azure, the ability to conduct reconnaissance in cloud computing platforms powered by Google Workspace and AWS, and utilizes legitimately-developed remote-access tools. [1]
The group later became known for targeting critical infrastructure prior to moving on to its 2023 casino hacks. [7]
Scattered Spider gained access to both Caesars' and MGM's internal systems through the use of social engineering. The group was able to bypass multi-factor authentication technologies by attaining login credentials and one-time passwords. [8] [9] The group claims that it targeted MGM due to them catching the group attempting to rig slot machines in their favor. [10]
Caesars Entertainment paid a ransom of $15 million to Scattered Spider, half their original demand of $30 million. Scattered Spider, using similar tactics to its attack on MGM, was able to access driver's license numbers and possibly Social Security numbers, for a "significant number" of Caesars customers. Statements made by Caesars noted that while the company cannot guarantee the deletion of the information attained by Scattered Spider, the casino operator will take all necessary actions to attain such result. [2]
Sources dispute on whether Scattered Spider was the group which targeted Caesars, with some believing it was the British-American group while others say the perpetrators were not the group or unknown. [11] [12] [10]
Scattered Spider collaborated with ALPHV, a software development team which provides ransomware as a service. Scattered Spider called MGM's help desk posing as an employee it found on LinkedIn to gain internal access. The group gained access on September 11, 2023. [8]
MGM Resorts first disclosed the cyberattack on September 12, 2023, in a Form 8-K report with the SEC the next day. [13] [14] The company stated that though it has "dealt" with the cyberattack, many of the computer systems at its resorts remain offline, which include but are not limited to credits for food, beverages, and free credits. The attack further disabled on-site ATMs as well as remote room keys, and prevented MGM from charging patrons for parking. [9]
In July 2024, a 17-year old hacker from the United Kingdom was arrested in connection with the hack and attempted ransom. He has been released on bail pending trial. [15] The arrest was coordinated by local and international law enforcement.
MGM and the US FTC and FBI are presently investigating the cyberattack, and the casino operator temporarily took down its website. [3] Moody's Corporation has stated that due to MGM's heavy reliance on computers for much of its operations, its credit rating could go down as a result of the cyberattack. [7] Upon the announcement of both companies' attacks, the stock prices for both Caesars and MGM dropped. MGM's CEO William Hornbuckle went on to note at an industry conference that the hack caused the company to be "completely in the dark" about its properties. [5]
Both MGM and Caesars were sued in class action lawsuits following the hacks, with all stating that the failure for both of the casino operators to adequately secure their data constituted breach of contract. The law firms' clients also all demanded jury trials. [16] [17]
In January 2024, Noah Michael Urban, allegedly a member of the group [18] and known as "Sosa", "King Bob", "Elijah", and other aliases, was arrested in Florida for the cumulative theft of about $800,000 in cryptocurrency. [19]
In June 2024, the alleged leader of the group, Tyler Buchanan, was arrested in Spain when attempting to board a flight to Italy. [20] [21]
In July 2024, the West Midlands Police with the help of the FBI arrested a 17-year old juvenile in connection with the MGM cyberattacks. The suspect, who resides in Walsall and whose name was not published, was released on bail while law enforcement examines his devices. [22]
19-year-old Remington Ogletree was arrested in November 2024 on charges related to his alleged involvement with the group. [23]
Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.
Bitdefender is a multinational cybersecurity technology company dual-headquartered in Bucharest, Romania and Santa Clara, California, with offices in the United States, Europe, Australia and the Middle East.
A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.
Caesars Entertainment, Inc., formerly Eldorado Resorts, Inc., is an American hotel and casino entertainment company founded and based in Reno, Nevada, that operates more than 50 properties. Eldorado Resorts acquired Caesars Entertainment Corporation and changed its own name to Caesars Entertainment on July 20, 2020.
The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It was propagated using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end of life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.
Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the users make a payment in Bitcoin in order to regain access to the system.
REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.
Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian or Ukrainian, who target organizations rather than individual consumers.
A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).
On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that afflicted computerized equipment managing the pipeline. The Colonial Pipeline Company halted all pipeline operations to contain the attack. Overseen by the FBI, the company paid the amount that was asked by the hacker group within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool required a very long processing time to restore the system to a working state.
DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. The group provides ransomware as a service.
On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.
Wizard Spider, also known as Trickbot, DEV-0193, UNC2053, or Periwinkle Tempest, was a cybercrime group based in and around Saint Petersburg in Russia. Some members may be based in Ukraine. They are estimated to number about 80, some of them may not know they are employed by a criminal organisation.
In mid-May 2021 hospital computer systems and phone lines run by the Waikato District Health Board (DHB) in New Zealand were affected by a ransomware attack. On 25 May, an unidentified group claimed responsibility for the hack and issued an ultimatum to the Waikato DHB, having obtained sensitive data about patients, staff and finances. The Waikato DHB and New Zealand Government ruled out paying the ransom.
Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.
LockBit is a cybercriminal group proposing ransomware as a service (RaaS). Software developed by the group enables malicious actors who are willing to pay for using it to carry out attacks in two tactics where they not only encrypt the victim's data and demand payment of a ransom, but also threaten to leak it publicly if their demands are not met.
BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.
Rhysida is a ransomware group that encrypts data on victims' computer systems and threatens to make it publicly available unless a ransom is paid. The group uses eponymous ransomware-as-a-service techniques, targets large organisations rather than making random attacks on individuals, and demands large sums of money to restore data. The group perpetrated the notable 2023 British Library cyberattack and Insomniac Games data dump. It has targeted many organisations, including some in the US healthcare sector, and the Chilean army.