The hacking group Scouted Spyders (Scattered Spiders) has come up with a name for itself after a raft of successful hacks into two of Las Vegas' largest casinos recently. Although the group's reputation has only recently spread, cybersecurity experts say it has evolved dramatically to cause more damage.
The Scouted Spiders attacks wreaked havoc on two of the world's largest gambling companies, MGM Resort and Caesar Entertainment, in Las Vegas, where gaming machines stopped and hotel systems failed.
A major hacker group called ALPHV said last week it was behind the MGM Resort hack, at a time when analysts believe it provided software and attack tools for the Scythed Spyders operation.
David Bradbury of digital security firm Octa said such a collaboration is typical for cybercriminals, as ATLBHV provides technical services to different hacking groups in exchange for a percentage of what hackers get.
According to a report by Mandiant Intelligence, Scout Spyders, codenamed YNC 3944, is a group of organized hackers targeting victims for financial motives, and clearly uses social engineering and phishing campaigns over the phone to obtain the data of its victims and launch cyberattacks.
There aren't many details about the group's location or identity, but CrowdStrike analyzed the criminals' conversations with victims and evidence from security breach investigations, and found that the group's members were between 17 and 22 years old. Mandiant estimates that most of them are from Western countries, but it is unclear how many people participated.
Members of "scattered spiders" pirates range in age from 17 to 22 years, according to experts (Medgerny)
Beginnings and how it works
The group operates in secret communities, uses the Telegram communication app, and its first activities were reported in 2022. The Mandiant Intelligence report also shows that "scattered spiders" initially launched small SIM attacks to support secondary attacks by other groups.
By mid-2023, the group began shifting to deploying ransomware to victims, signaling an expansion in monetization strategies. The report revealed that changes in their ultimate targets suggest that the industries targeted by Scouted Spiders will continue to expand.
The cybersecurity firm has also directly observed the expansion of targets recently, and the group now targets the hospitality, retail, media and entertainment sectors, as well as financial services.
Does Scattered Spider seem to be everywhere? The scope of their intrusions since March 2022 from a @CrowdStrike perspective is pretty broad. They use social engineering, living off the land, and RMM tools before deploying ransomware or conducting extortion. pic.twitter.com/fP3Z1Mj0mW
— adam_cyber (@Adam_Cyber) September 15, 2023
How "scatter spiders" work
Hacker groups are known for their consistency and creativity, enabling them to increasingly and effectively target cloud technology resources that are difficult to monitor.
As for the "scattered spiders", their hackers impersonated an employee of the company they intended to attack, asked the IT office for help, pretended that they had lost their data, and asked the technical help desk employee for login details.
Interestingly, the hackers had the necessary employee information to convince the help desk to help them. Once they gained access, they quickly found their way into the company's most sensitive data to be stolen for the purpose of extortion.
Before contacting help desks, hackers obtained employee information including passwords via social engineering, especially "SIM card switching," a technique by which they trick a carrier's customer service representative into reassigning a specific phone number from one device to another, analysts say.
Members of the "scattered spiders" also appear to have made an effort to examine how large organizations, including vendors and contractors, work to find powerful individuals to target, according to analysts.
Octa's chief security officer David Bradbury was hacked last month, discovering that several Octa customers, including MGM, had been hacked by Scated Spyders. Octa provides identity services such as multi-factor authentication used to help users access apps and websites securely.
"It's clear that hackers took our online courses, and clearly studied our product and how we work. That's something we've never seen before."
Scythed Spiders attacks have wreaked havoc on two of Las Vegas' biggest gamblers (Reuters)
Security experts and a game of cat and mouse
Wendy Whitmore, senior vice president of Palo Alto Networks' threat intelligence team, says ransomware attacks aren't new, but the group has been very skilled in social engineering and has gone beyond multi-factor authentication.
"They are far more sophisticated than many cybercrime actors," Whitmore said. They appear to be disciplined and organized in their attacks. "This is something we see frequently with state actors, not ordinary cybercriminals."
Whitmore also compared Scouted Spyders to Labusus — another group that was behind previous hacks of Octa and tech giant Microsoft — saying, "In some ways this resembles an old cat-and-mouse game."
Behind the scenes, hackers have hit several companies, according to analysts tracking the breaches, while cybersecurity specialists expect attacks to continue.
Adam Myers, senior vice president of threat intelligence at CrowdStrike, said his company has tracked 52 attacks globally from Canada to Japan by the group since March 2022, mostly in the United States.
Google-owned intelligence firm Mandiant has recorded more than 100 hacks by the group over the past two years, hitting almost every industry from telecommunications to finance, hospitality and media.
Mandiant founder Kevin Mandya said: "It's not just the scale and scale of the attacks that make this group interesting. "They are very skilled in what they do and cruel in their dealings with victims."
Mandya found that the speed with which they hack data from the company's systems and extract it can outperform security response teams, and they have left threatening notes for employees of the victim companies.
In some cases, none of which Mandya mentioned, hackers linked to Scout Spiders made fake emergency services calls to summon heavily armed police units to the homes of targeted corporate executives.
Mandya described the technique, called Swateng, as "absolutely horrific to live as a victim. I don't think these operations are about money. I think it's about showing power, influence, and notoriety. This makes it more difficult to respond to them."
Ransomware gangs often operate like large organizations, and continue to develop their methods to adapt to the latest security measures used by organizations.