Scattered Spider Threat Actors: All You Need to Know

The US Department of Justice (DoJ) recently dealt a significant blow to cybercrime by indicting five notorious members of the Scattered Spider Group, accused of orchestrating a multi-million-dollar phishing and hacking spree. The group is accused of stealing at least $11 million in cryptocurrency and sensitive data from over 45 companies across the US, Canada, India, and the UK between September 2021 and April 2023. They face charges of wire fraud, wire fraud conspiracy, and aggravated identity theft.

What is Scattered Spider Group?

Scattered Spider is a financially motivated cybercriminal and ransomware gang that has gained notoriety for its sophisticated social engineering tactics and ability to navigate cloud environments. The group emerged in 2022 and primarily comprises young individuals aged 19 to 22, based in the United States and the United Kingdom. The Scattered Spider Group is also known by other aliases, including Starfraud, UNC3944, Scatter Swine, and Muddled Libra.

Scattered Spider's financial motivation is evident in their strategic targeting of high-value organizations, diverse monetization tactics, and continuous evolution of their attack methods to maximize profits from their cybercriminal activities.

Tactics Used by Them

Scattered Spider threat actors are renowned for their sophisticated social engineering tactics, which form the foundation of their attack methodology. They employ a range of techniques to achieve financial gain. These tactics showcase Scattered Spider's exceptional social engineering expertise, allowing them to bypass technical security measures by exploiting human vulnerabilities in organizational processes and procedures.

The preferred tactics of Scattered Spider hackers include:

• Phishing and smishing: The group conducts broad phishing campaigns via email and SMS, often using victim-specific crafted domains to lure targets.
• Vishing: The Scattered Spider threat actors pose as IT or helpdesk staff, making phone calls to manipulate employees into divulging sensitive information or performing actions that compromise security.
• MFA bombing (push fatigue): Attackers repeatedly trigger MFA notifications, hoping to wear down users into accidentally approving an authentication request.
• SIM swapping: The group convinces cellular carriers to transfer control of a target's phone number, enabling them to intercept MFA codes and other sensitive communications.
• Impersonation: Scattered Spider members expertly mimic legitimate IT personnel, often using stolen information to answer security questions convincingly.
• Credential theft: Through various social engineering methods, they obtain usernames, passwords, and even one-time passwords (OTPs) for MFA.
• Help desk manipulation: Using gathered information, they trick IT support staff into resetting passwords or bypassing MFA controls.

Recent Updates on Scattered Spider Threat Actors

The U.S. Department of Justice has recently indicted five individuals believed to be members of the Scattered Spider Group. The suspects are charged with conspiracy to commit wire fraud, and aggravated identity theft. These suspects include -

1. Ahmed Hossam Eldin Elbadawy, 23, of Texas
2. Noah Michael Urban, 20, of Florida
3. Evans Onyeaka Osiebo, 20, of Texas
4. Joel Martin Evans, 25, of North Carolina
5. Tyler Robert Buchanan, 22, of the United Kingdom

The latest key developments in the arrests are as follows:

• Evans was arrested on November 19, 2024, in North Carolina.
• A 17-year-old UK suspect linked to the group was arrested in July 2024
• Buchanan was apprehended in Spain in June 2024 and awaits extradition. He faces an additional wire fraud charge.
• Urban was arrested in January 2024 and faces additional charges related to SIM-swapping attacks.

Potential Ramifications

The charges against the Scattered Spider hackers highlight the increasing focus of law enforcement on cybercrime, potentially deterring young individuals from joining such groups. If convicted, US-based members could face up to 27 years in prison, while Buchanan, the alleged mastermind, faces an additional 20 years for wire fraud.

The arrests may significantly disrupt Scattered Spider's operations, as the group is known for its sophisticated social engineering tactics and deep understanding of cloud environments. However, the group's loose structure and alliances with other cybercrime entities, such as Russian ransomware gangs, may allow some operations to continue. Additionally, the fluid nature of Scattered Spider's structure and its connections to other hacking collectives may pose ongoing challenges for investigators.

Damages Caused by the Scattered Spider Group

Scattered Spider has caused significant damage across various industries. In telecommunications, the group targeted mobile carrier networks to execute SIM swapping attacks. The casinos and gambling sector faced severe disruptions, with Caesars Entertainment and MGM Resorts incurring millions in losses. Large tech companies such as Okta, Coinbase, Riot Games, and Reddit were also victims, alongside pivotal players in financial services. Additionally, Scattered Spider targeted companies in the business process outsourcing (BPO) sector and organizations within critical infrastructure, such as healthcare, demonstrating their broad and destructive reach.

The group has caused extensive financial losses, data breaches, and operational disruptions across these industries. Their sophisticated social engineering tactics and ability to navigate cloud environments have allowed them to compromise high-value targets and exfiltrate sensitive data, often threatening to release it unless ransoms are paid.

Attacks on VMware Servers

Cybercriminals and threat actors frequently target VMware servers due to their widespread use in enterprise environments and their potential for high-impact attacks.The history of attacks on VMware servers includes several notable incidents and vulnerabilities:

• CVE-2021-21974 (2021): A critical remote code execution vulnerability in VMware ESXi's OpenSLP service was widely exploited by ransomware groups.
• ESXiArgs Ransomware Campaign (2023): A global ransomware attack targeted thousands of organizations using specific versions of VMware ESXi, exploiting the CVE-2021-21974 vulnerability.
• CVE-2023-20887 (2023): VMware warned users of Aria Operations for Networks about active exploitation of this vulnerability in the wild.
• CVE-2023-34048 (2023): A critical vCenter Server remote code execution vulnerability was patched but later confirmed to be under active exploitation.
• Ransomware Group Targeting (Ongoing): Various ransomware groups, including Royal, Black Basta, LockBit, RTM Locker, Qilin, ESXiArgs, Monti, and Akira directly target VMware ESXi servers.

These attacks highlight the ongoing security challenges faced by VMware and its users, emphasizing the importance of prompt patching and robust security measures for VMware environments.

Scattered Spider is notorious for its advanced cybercrime tactics, particularly in the hospitality and entertainment sectors. A notable example is the September 2023 cyber-attack on MGM Resorts, where the group used voice phishing and employee impersonation to infiltrate systems, causing widespread disruptions and financial losses. This incident highlights the group’s sophistication and underscores the critical need for enhanced cybersecurity measures. The following section explores the specifics of this attack and its implications for businesses.

The Las Vegas MGM Cyber Attack

The MGM Cyber Attack in Las Vegas was a significant cybersecurity incident that affected MGM Resorts International, a major gaming and entertainment conglomerate. The attack on MGM was reported on September 11, 2023, when the company disclosed a "cybersecurity issue" impacting some of its U.S. systems.

Scattered Spider, an affiliate of the ransomware-as-a-service group BlackCat (ALPHV), claimed responsibility for the breach. Using social engineering tactics, the group infiltrated MGM's computer systems, prompting a 10-day shutdown of affected systems to protect data. The incident disrupted operations at major MGM hotels, including the Bellagio, and resulted in the theft of approximately 6 terabytes of data.

The company estimates a negative impact of about $100 million on Adjusted Property EBITDAR for Las Vegas Strip Resorts and Regional Operations. An additional $10 million was lost due to risk remediation, legal fees, and incident response measures.

The MGM cyberattack compromised personal information, including names, contact details, driver's license numbers, Social Security numbers, and passport numbers for some customers who had transacted with MGM before March 2019, though no bank account or payment card information was accessed. MGM refused to pay the ransom and instead provided free credit monitoring services and loyalty rewards to affected customers.

By October 5, CEO Bill Hornbuckle announced that most MGM systems were back online and the attack was contained. The FBI is investigating the incident, which led to a more than 6% drop in MGM's share price and federal lawsuits against the company.

This incident highlights the vulnerability of large corporations to ransomware attacks and the importance of robust cybersecurity measures, especially against social engineering tactics.

How Businesses Can Stay Safe from Scattered Spider Ransomware

To protect against Scattered Spider Ransomware, businesses should implement the following security measures. By implementing these measures, businesses can significantly improve their resilience against Scattered Spider Ransomware and other cyber threats.

1. Employee Training:

• Focus on social engineering awareness and phishing red flags.
• Educate employees to recognize suspicious emails, phone calls, and other social engineering tactics.
• Conduct regular phishing simulations to test and improve employee vigilance.
• For more information on phishing attacks and how to prevent them, refer to Sangfor’ comprehensive guide on phishing.

2. Multi-Factor Authentication (MFA):

• Implement strong MFA protocols on all accounts, especially for privileged users and remote access. This adds an extra layer of security even if credentials are compromised.
• Learn more about the importance of two-factor authentication and its implementation.

3. Vulnerability Management:

• Regularly maintain security patches on critical systems.
• Conduct frequent vulnerability assessments and promptly address any identified weaknesses to minimize potential attack vectors.

4. Data Backups and Disaster Recovery Plans:

• Maintain secure, offline backups to facilitate recovery in case of ransomware attacks.
• Implement a robust disaster recovery solution to ensure business continuity.
• Sangfor offers comprehensive disaster recovery solutions to protect your critical data and systems.

5. Endpoint Detection & Response (EDR):

• Utilize EDR solutions to detect and respond to malicious activity on endpoints. EDR tools can help identify and mitigate threats before they spread across the network.
• Sangfor's EDR solution provides advanced threat detection and response capabilities.

6. Incident Response Plan:

• Have a documented plan in place to handle ransomware incidents effectively. This should include steps for containment, eradication, and recovery.
• Sangfor offers incident response services to help organizations prepare for and respond to cyber incidents.

Key Observations

Scattered Spider is a sophisticated cybercriminal group that has gained notoriety for its advanced social engineering tactics and financially motivated attacks. The group, believed to comprise individuals aged 19-22 from the United States and United Kingdom, has been active since 2022. The group's high-profile attacks, such as those on Caesars Entertainment and MGM Resorts International, demonstrate their capability to cause significant financial and operational damage.

Staying vigilant is crucial in the face of such evolving threats. Organizations must recognize that even young threat actors can execute sophisticated attacks, primarily due to advanced social engineering capabilities. The surge in ransomware attacks, particularly in healthcare where they've increased by 300% since 2015, underscores the urgency of robust cybersecurity measures. CISA (Cybersecurity and Infrastructure Security Agency) and FBI (Federal Bureau of Investigation) have issued a cybersecurity alert detailing Scattered Spider's dangerous techniques linked to recent high-profile cyberattacks.

Taking proactive security measures can significantly mitigate ransomware risks. By adopting a proactive stance and implementing comprehensive security measures, organizations can better protect themselves against the evolving tactics of groups like Scattered Spider and reduce the risk of falling victim to costly cyberattacks.