Advertisement

U.S. officials urge more information sharing on prolific cybercrime group

An aggressive ransomware group has hit a series of prominent targets in recent months without any arrests being made.
Caesars Palace Hotel sits along Las Vegas Blvd, along the strip in Las Vegas, NV on Wednesday, April 30, 2014. (Photo by Sandy Huffaker/Corbis via Getty Images)

U.S. government officials are struggling to determine the full scope of hacking activity carried out by an aggressive group that has rocketed to public prominence after breaching two Las Vegas resort operators, U.S. law enforcement and cybersecurity officials said during a briefing with reporters Thursday.

Senior FBI officials declined to share details on the status of their investigation targeting a group known as Scattered Spider and said that the bureau needs more information from victims to properly understand breadth of the group’s operations. Analysts who follow the matter believe Scattered Spider includes people in America and the United Kingdom.

The FBI has known the identities of “at least a dozen members tied to the hacking group” for more than six months, Reuters reported Tuesday, and FBI officials bristled at criticism that the bureau is failing to take action against the group.

“Just because you don’t see actions being taken, it doesn’t mean there aren’t actions being taken,” a senior FBI official said on the call.

Advertisement

Officials on Thursday’s call urged targeted companies to share more information with law enforcement. The call coincided with an FBI and CISA joint advisory describing the techniques, tactics and procedures associated with the group behind the attacks, which industry researchers variously describe as Scattered Spider, UNC3944, Scatter Swine, and Muddled Libra.

While described as a group for ease of tracking, the activity emanates from an ecosystem of disparate, sometimes competing factions known as “the Com,” short for “community.” A subset of people in the Com are known to engage in a range of both cyber-related crimes but also physical violence for hire.

An October report from Microsoft detailed some of the more explicit threats of violence associated with the group, including threats related to victims’ family members and their homes.

The officials said there have been additional victims in the wake of the September attacks on MGM Resorts and Caesars Entertainment but declined to share a total number of targeted organizations or discuss how many of those organizations have shared information with the FBI. Victims are spread across the country and various field offices are involved in an investigation that officials described as centrally managed.

The FBI officials also declined to share any details on the extent to which Scattered Spider is working with ALPHV, an established ransomware operation believed to be based in Russia with a track record of successfully attacking dozens of entities around the world and extorting tens of millions of dollars from its victims.

Advertisement

The hackers involved in the Caesars and MGM attacks have been known to use ALPHV ransomware as part of extortion operations, and ALPHV claimed the attack on MGM on its website in September.

“It’s only natural that groups like this, who are revenue focused, are going to look at whatever other methods they can” to take money from victims, the official said Thursday. “Ransomware is one of those methods that can force a victim, at times, to make a payment. It’s a natural progression of any entity looking to take advantage of victims to their own benefit.”

Caesars reportedly paid roughly $15 million to the attackers, the Wall Street Journal reported at the time. MGM Resorts did not pay, but reported in federal filings that the attack would cost the company more than $100 million.

The FBI official said the agency still encourages victims of ransomware to not to pay. Proceeds from ransom payments are only going to end up as either profit for the attackers, the official said, or “reinvested into additional operations that target additional entities, to include, very often, the same victims who have already paid.”

AJ Vicens

Written by AJ Vicens

AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

Latest Podcasts