Scattered Spider

Last updated

Scattered Spider
NicknameSee § Names
Formationc. May 2022
Type Hacker group
Purpose Ransomware, cyberattacks
Region
United States and United Kingdom
Methods Social engineering, Ransomware as a service, Password cracking
AffiliationsALPHV

Scattered Spider, also referred to as UNC3944 among other names, [1] is a hacking group mostly made up of individuals aged 19 to 22 as of September 2023. The group, whose name was first tagged by cybersecurity researchers, gained notoriety for hacking Caesars Entertainment and MGM Resorts International, two of the largest casino and gambling companies in the United States. Scattered Spider is believed to be primarily made up of operatives based in both the United States and the United Kingdom. [2] [3]

Contents

Names

The group's most common name as used in press releases and by journalists is Scattered Spider, though many other names have been attributed to the group. Star Fraud, Octo Tempest, Scatter Swine, and Muddled Libra have all been names used to refer to the group previously. [1] [4]

According to Allison Nixon of Unit 221B, a cybersecurity company, Scattered Spider is a component of a larger global hacking community, known as "the Community" or "the Com", itself having members who have hacked major American technology companies. [4]

Early history

Scattered Spider is believed to have been founded in May 2022, when the group was focused on attacks on telecommunications firms. The group utilized SIM swap scams, multi-factor authentication fatigue attacks, and phishing by SMS and Telegram. [1] The group typically exploited the security bug CVE-2015-2291, a cybersecurity issue in Windows' anti-DoS software, [5] to terminate security software, allowing the group to evade detection. The group is believed to have a deep understanding of Microsoft Azure, the ability to conduct reconnaissance in cloud computing platforms powered by Google Workspace and AWS, and utilizes legitimately-developed remote-access tools. [1]

The group later became known for targeting critical infrastructure prior to moving on to its 2023 casino hacks. [6]

2023 casino hacks

Scattered Spider gained access to both Caesars' and MGM's internal systems through the use of social engineering. The group was able to bypass multi-factor authentication technologies by attaining login credentials and one-time passwords. [7] [8] The group claims that it targeted MGM due to them catching the group attempting to rig slot machines in their favor. [9]

Caesars hack

Caesars Entertainment paid a ransom of $15 million to Scattered Spider, half their original demand of $30 million. Scattered Spider, using similar tactics to its attack on MGM, was able to access driver's license numbers and possibly Social Security numbers, for a "significant number" of Caesars customers. Statements made by Caesars noted that while the company cannot guarantee the deletion of the information attained by Scattered Spider, the casino operator will take all necessary actions to attain such result. [2]

Sources dispute on whether Scattered Spider was the group which targeted Caesars, with some believing it was the British-American group while others say the perpetrators were not the group or unknown. [10] [11] [9]

MGM Resorts hack

Scattered Spider collaborated with ALPHV, a software development team which provides ransomware as a service. Scattered Spider called MGM's help desk posing as an employee it found on LinkedIn to gain internal access. The group gained access on September 11, 2023. [7]

MGM Resorts first disclosed the cyberattack on September 12, 2023, in a Form 8-K report with the SEC the next day. [12] [13] The company stated that though it has "dealt" with the cyberattack, many of the computer systems at its resorts remain offline, which include but are not limited to credits for food, beverages, and free credits. The attack further disabled on-site ATMs as well as remote room keys, and prevented MGM from charging patrons for parking. [8]

Aftermath

MGM and the US FTC and FBI are presently investigating the cyberattack, and the casino operator temporarily took down its website. [3] Moody's Corporation has stated that due to MGM's heavy reliance on computers for much of its operations, its credit rating could go down as a result of the cyberattack. [6] Upon the announcement of both companies' attacks, the stock prices for both Caesars and MGM dropped. MGM's CEO William Hornbuckle went on to note at an industry conference that the hack caused the company to be "completely in the dark" about its properties. [4]

Both MGM and Caesars were sued in class action lawsuits following the hacks, with all stating that the failure for both of the casino operators to adequately secure their data constituted breach of contract. The law firms' clients also all demanded jury trials. [14] [15]

Related Research Articles

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of several high-profile cyberattacks, including the 2014 Sony Pictures hack, the 2015–16 cyber attacks on the Democratic National Committee (DNC), and the 2016 email leak involving the DNC.

EternalBlue is computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that, at the time, allowed users to gain access to any number of computers connected to a network. The NSA had known about this vulnerability for several years but had not disclosed it to Microsoft yet, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

The city of Atlanta, Georgia was the subject of a ransomware attack which began in March 2018. The city recognized the attack on Thursday, March 22, 2018, and publicly acknowledged it was a ransomware attack.

REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.

Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

<span class="mw-page-title-main">Health Service Executive ransomware attack</span> 2021 cyber attack on the Health Service Executive in Ireland

On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

Vice Society is a hacking group known for ransomware extortion attacks on healthcare, educational and manufacturing organizations. The group emerged in the summer of 2021 and is believed to be Russian-speaking. Vice Society uses double extorsion and does not operate a ransomware as a service model.

A wave of cyberattacks and data breaches began in June 2023 after a vulnerability was discovered in MOVEit, a managed file transfer software.

Hive was a ransomware as a service (RaaS) operation carried out by the eponymous cybercrime organization between June 2021 and January 2023. The group's purpose was to attack mainly public institutions to subsequently demand ransom for release of hijacked data.

BlackCat, also known as ALPHV and Noberus, is a ransomware family written in Rust. It made its first appearance in November 2021. By extension, it is also the name of the threat actor(s) who exploit it.

References

  1. 1 2 3 4 "Scattered Spider: The Modus Operandi". www.trellix.com. Retrieved September 14, 2023.
  2. 1 2 "Caesars Entertainment says it was also a victim of a cyberattack". NBC News. September 14, 2023. Retrieved September 14, 2023.
  3. 1 2 Bracken, Becky (September 14, 2023). "'Scattered Spider' Behind MGM Cyberattack, Targets Casinos". Dark Reading. Retrieved September 14, 2023.
  4. 1 2 3 Whitaker, Bill; Chasan, Aliza; Messick, Graham; Weingart, Jack (April 14, 2024). "Criminal exploits of Scattered Spider earn respect of Russian ransomware hackers - CBS News". www.cbsnews.com. Retrieved April 23, 2024.
  5. "CVE-2015-2291 : (1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows all". www.cvedetails.com. Retrieved September 14, 2023.
  6. 1 2 "MGM Resorts breached by 'Scattered Spider' hackers: Sources". Business Insurance. Retrieved September 14, 2023.
  7. 1 2 Siddiqui, Zeba; Bing, Christopher; Bing, Christopher (September 13, 2023). "MGM Resorts breached by 'Scattered Spider' hackers: sources". Reuters. Retrieved September 14, 2023.
  8. 1 2 "Young hackers are sticking up Las Vegas casinos for hefty ransoms". Quartz. September 14, 2023. Retrieved September 14, 2023.
  9. 1 2 Srivastava, Mehul (September 14, 2023). "MGM hack followed failed bid to rig slot machines, 'Scattered Spider' group claims". Financial Times. Retrieved September 15, 2023.
  10. Murphy, Aislinn (September 13, 2023). "Caesars Entertainment reportedly paid ransomware demand". FOXBusiness. Retrieved September 15, 2023.
  11. Gendron, Will. "MGM Resorts is still suffering from a massive outage after a notorious group of young hackers apparently tricked workers into handing over access to the company's network". Business Insider. Retrieved September 15, 2023.
  12. "Investors - Financial Info - SEC Filings - SEC Filings Details". investors.mgmresorts.com.
  13. https://d18rn0p25nwr6d.cloudfront.net/CIK-0000789570/a390c443-0c40-4025-aba2-74505ab3c9e3.pdf
  14. "Complaints filed say MGM Resorts, Caesars Entertainment failed to protect information from cyberattack". Channel 13 Las Vegas News KTNV. September 26, 2023. Retrieved September 26, 2023.
  15. Croft, Daniel (September 26, 2023). "5 class actions launched against MGM, Caesars". www.cybersecurityconnect.com.au. Retrieved September 26, 2023.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.