Threat intelligence analysts, incident responders, and federal law enforcement alike all seem to know all about the threat group with an array of monikers The Com, Scattered Spider, Muddled Libra, UNC3944, Starfraud, and Octo Tempest, among others. So why is the group (which was behind the MGM Resorts and Caesars Entertainment hacks) still successfully attacking US organizations with impunity, with no disruptions to date?
This week, reports confirmed that federal law enforcement is well aware of the identities of the cybercrime group, which is made up of native English speakers, yet has not been able to make any arrests. In fact, sources confirmed to Reuters that law enforcement has known the identities of the Scattered Spider hacking collective for more than six months.
Cybersecurity threat hunters like CrowdStrike's president Michael Sentonas struck a decidedly baffled tone, noting that the fact that the ransomware group is still operational and causing "havoc" is a "failure of "law enforcement."
The feds did offer some response: On Nov. 16, the FBI and CISA released an advisory on Scattered Spider, providing indicators of compromise (IoCs) and additional details to arm enterprise security teams with details to defend their networks.
"FBI and CISA recommend organizations implement the mitigations below to improve your organizations cybersecurity posture based on the threat actor activity and to reduce the risk of compromise by Scattered Spider threat actors," the advisory said. It included a list of recommendations, including application controls, remote access tool auditing, and implementing FIDO/WebAuthn authentication or public key infrastructure (PKI)-based multifactor authentication (MFA).
While helpful, if there's so much information about the group's cybercrimes, it doesn't answer why members of the ransomware group haven't simply been arrested, or at the very least, their operation disrupted, some note.
Like most things sitting at the intersection of corporate America and law enforcement, many of the details remain protected in secrecy. However, the effects of the group running rampant through public company networks like MGM Resorts are well known.
"UNC3944is one of the most prevalent and aggressive threat actors impacting organizations in the United States today," says CharlesCarmakal, Mandiant Consulting CTO at Google Cloud. "They are incredibly disruptive."
And the group appears to be committing cybercrimes with impunity all the time, even branching out into threats of physical violence. Microsoft researchers explained in their analysis of the group, which they call Octo Tempest, that it uses fear for personal safety to pressure victims into paying.
"In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts," Microsoft's Incident Response and Threat Intelligence teams said in their report. "These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access."
The sheer volume of details published by analysts about the group is dizzying. Scattered Spider was first flagged back in 2022 when it would leverage the Oktapus phishing kit to steal credentials. The group successfully dallied in SIM swaps but seems to have hit its stride in mid-2023, when it became an affiliate of the ransomware-as-a-service provider BlackCat, aka Alphv.
Steadily ramping up their skills, the group's members eventually added a clever new social engineering angle: calling into help desks to reset credentials and take over verified accounts as an initial foothold into target environments. That's the gambit the Scattered Spider crew ultimately used to compromise MGM Resorts and hobble Las Vegas Strip operations for more than a week, running up losses in the hundreds of millions of dollars for MGM Resorts alone. The group simultaneously breached Caesars and quickly negotiated a $15 million ransom payment.
Mandiant's Carmakal says that the group should see more scrutiny in the wake of those two incidents: "They have recently gained a lot of attention because of their recent targeting of hospitality and entertainment organizations."
Federal authorities aren't sharing any details of the investigation into Scattered Spider, but cybersecurity industry insiders suspect traditional law enforcement entities like the FBI are having a hard time adapting to chasing cybercriminals.
"Law enforcement is more accustomed to working groups with more structure and organization, and are struggling with the return of more chaotic and loosely coupled threat actors," Bugcrowd founder Casey Ellis says.
In fact, the FBI's inability to disrupt hacking groups like Scattered Spider could be an issue for some time to come, according to Callie Guenther, senior manager at Critical Start.
"The FBI's struggle to contain this group also highlights the broader challenges faced by law enforcement in the digital age," Guenther says. "The case of 'Scattered Spider' is indicative of a new era of cyber threats where criminal groups employ aggressive tactics, including threats of physical violence. This escalation in criminal strategies requires an equally robust and innovative response from law enforcement and cybersecurity experts."
For now, it appears it's up to individual enterprise teams to stop Scattered Spider from hobbling their networks. In the meantime, the cybersecurity community will continue to collect details on their exploits and wait for arrests.
The rest is here:
Scattered Spider Casino Hackers Evade Arrest in Plain Sight - Dark Reading
- The definitive guide to Finnish affiliate programmes in online casino industry - Times of Malta - March 16th, 2024 [March 16th, 2024]
- Casino Guru shortlisted for GamingTECH CEE Awards 2024 in two prestigious categories - European Gaming Industry News - March 16th, 2024 [March 16th, 2024]
- USDT Staking Rewards, A $250K Giveaway, and More In Scorpion Casinos (SCORP) Innovative Casino Ecosystem - Captain Altcoin - March 16th, 2024 [March 16th, 2024]
- How playing on an online casino platform is shaping the future of ... - Times of Malta - November 28th, 2023 [November 28th, 2023]
- Investors Flock to 100% Welcome Bonus as SCORP Presale Nears ... - Finbold - Finance in Bold - November 18th, 2023 [November 18th, 2023]
- From Controllers to Cards: The Evolution of Gaming and Gambling ... - Esports News UK - November 18th, 2023 [November 18th, 2023]
- Esports - Betting tips and predictions - SportsAdda - November 18th, 2023 [November 18th, 2023]
- Boomerang Media is the Best PPC Affiliate at SiGMA Europe ... - MaltaToday - November 18th, 2023 [November 18th, 2023]
- Massive MGM and Caesars Hacks Epitomize a Vicious ... - WIRED - September 19th, 2023 [September 19th, 2023]
- SBC Summit Barcelona kicking off today with massive line-up of 450 ... - Inside Asian Gaming - September 19th, 2023 [September 19th, 2023]
- Woman wins $1,000 from slot machine on her 106th birthday and ... - Upworthy - September 19th, 2023 [September 19th, 2023]
- Finland's gaming licence and the future of MGA casinos - Times of Malta - September 19th, 2023 [September 19th, 2023]
- Best PGA Championship Betting Promos & Bonuses | Bet on PGA ... - Worcester Telegram - May 18th, 2023 [May 18th, 2023]
- 5 Ways to Make Money in the Online Casino Industry - Analytics Insight - May 18th, 2023 [May 18th, 2023]
- Gambling firm allegedly paid blogs to link new mothers to its online games - The Guardian - May 18th, 2023 [May 18th, 2023]
- Betsson Subsidiary BML Group Becomes Enemy of Finland's ... - Casino.Org News - May 18th, 2023 [May 18th, 2023]
- 19% Crypto Bets Growth: SOFTSWISS Reveals Digital Coin Results ... - European Gaming Industry News - May 18th, 2023 [May 18th, 2023]
- How to Identify a Safe and Reliable Online Slots Site Five ... - Five Reasons Sports Network - May 18th, 2023 [May 18th, 2023]
- Record new depositing customers drive growth at Acroud in Q1 - iGaming Business - May 18th, 2023 [May 18th, 2023]
- 12 Best Casino Affiliate Programs of 2022 (Top Offers) - AuthorityHacker - December 26th, 2022 [December 26th, 2022]
- 1xBet Affiliates - Affiliate Program for Sports Betting, Casino, Poker ... - December 23rd, 2022 [December 23rd, 2022]
- Affiliate of union group backing Troy Jackson's campaign also paid him personally - The Maine Wire - October 15th, 2022 [October 15th, 2022]
- IceHogs Receive Robinson from Blackhawks - Rockford IceHogs - October 15th, 2022 [October 15th, 2022]
- PENN ENTERTAINMENT, INC. : Entry into a Material Definitive Agreement, Other Events, Financial Statements and Exhibits (form 8-K) - Marketscreener.com - October 15th, 2022 [October 15th, 2022]
- Understanding the Crypto iGaming Business - FinSMEs - October 2nd, 2022 [October 2nd, 2022]
- SBC Awards 2022 honor gaming industry in Barcelona; Betsson named Casino Operator of the Year - Yogonet International - October 2nd, 2022 [October 2nd, 2022]
- Twitchs recent rule tightening is a good thing for everyone - CasinoBeats - Casino Beats - October 2nd, 2022 [October 2nd, 2022]
- Tiidal Gaming Group (TIDL.C) Sportsflare heading to 2022 BSC Summit in Barcelona - Equity.Guru - September 20th, 2022 [September 20th, 2022]
- The ASA rules that the ads of two gambling companies were socially irresponsible - Lexology - September 15th, 2022 [September 15th, 2022]
- Tulipa Ent to Offer Gaming in the Netherlands - GamblingNews.com - September 15th, 2022 [September 15th, 2022]
- Various Types Of Careers In The Online Slots Casino Industry - The Nonstop News - The Nonstop News - September 15th, 2022 [September 15th, 2022]
- Best Sports Betting & Casino Affiliate Program | 22BET Partners - September 7th, 2022 [September 7th, 2022]
- Brazilian iGaming Summit and Latam Affiliates expand their reach, together with the football market, by participating in BFEXPO 2022 - iGaming Brazil - September 7th, 2022 [September 7th, 2022]
- 1000 Resorts and Golden Nugget Casino Workers in Atlantic City Reach Tentative Agreements with their Employers - InsiderNJ - July 29th, 2022 [July 29th, 2022]
- SBC to turn Barcelona into the centre of the international betting and gaming industry - Gambling Insider - July 29th, 2022 [July 29th, 2022]
- Bet-at-home announces layoffs as it abandons in-house platform - iGaming Business - July 29th, 2022 [July 29th, 2022]
- James Baker Obituary - The Petoskey News-Review - Petoskey News-Review - July 23rd, 2022 [July 23rd, 2022]
- JimPartners: casino's affiliate program - June 24th, 2022 [June 24th, 2022]
- "iGB Live will be our first offline event with a stand this year and we are thrilled to welcome attendees in person" - Yogonet International - June 24th, 2022 [June 24th, 2022]
- HeadsUp Entertainment Partners with Centurion FC Malta MMA Company in Innovative Revenue Generating Deal - Yahoo Finance - June 24th, 2022 [June 24th, 2022]
- Slotty Vegas operator MaxEnt to close down by end of July - iGaming Business - June 24th, 2022 [June 24th, 2022]
- How To Get The Best Bonus Codes At Any Casino? - MWWire - June 24th, 2022 [June 24th, 2022]
- LeoVegas Hired Stosic as Group Head of Affiliates - GamblingNews.com - June 7th, 2022 [June 7th, 2022]
- N1 Partners Group set to debut at the Affiliate World Europe in Barcelona - Yogonet International - June 7th, 2022 [June 7th, 2022]
- How To Get The Best Bonus Codes At Any Casino? - Trending News Buzz - May 21st, 2022 [May 21st, 2022]
- How Much Does It Cost to Start an Online Casino? - Study Breaks - May 21st, 2022 [May 21st, 2022]
- Betfred Casino Review 2022: Is Betfred Casino Safe? - TimesOfCasino - May 21st, 2022 [May 21st, 2022]
- "We are increasingly beginning to see the desire of users to experience VR casino gambling" - Yogonet International - May 6th, 2022 [May 6th, 2022]
- Compliable and Rightlander sign partnership agreement European Gaming Industry News - European Gaming Industry News - May 6th, 2022 [May 6th, 2022]
- Play Globally and The US Gambler partner to cross-sell sports gambling content - Gambling Insider - April 25th, 2022 [April 25th, 2022]
- BC Game Promo Code - Free Bonus Reward 2022 - Casino Roobet - April 20th, 2022 [April 20th, 2022]
- GiG Media named "Best Casino Affiliate" at iGB Affiliate Awards - Yogonet International - April 20th, 2022 [April 20th, 2022]
- 2mee: we are a tribal species, and we all want to feel part of a tribe - Casino Beats - April 20th, 2022 [April 20th, 2022]
- iGB ASCEND mentoring initiative expected to "start a huge movement for women in the gambling industry" - Yogonet International - April 6th, 2022 [April 6th, 2022]
- Clare Boynton and Pierre Cadena Nominated to Join Raketech's Board of Directors - European Gaming Industry News - April 6th, 2022 [April 6th, 2022]
- Real Luck Group announces agreement with leading performance marketing firm Raketech Group - PR Newswire - March 31st, 2022 [March 31st, 2022]
- Paysafe Keeps On Growing In USA - FinSMEs - March 18th, 2022 [March 18th, 2022]
- Routy: taking monetisation to the next level - Casino Beats - March 18th, 2022 [March 18th, 2022]
- Best Online Casino Affiliate Program | PlayAttack Affiliates - March 13th, 2022 [March 13th, 2022]
- Affilka adds UK-licensed The Phone Casino to its affiliate ... - March 13th, 2022 [March 13th, 2022]
- Which Type of Players Are Eligible to 'Exclusive' Casino Bonuses? - Amico Hoops - March 13th, 2022 [March 13th, 2022]
- Hard Rock Casino attracts big bucks in short month - The Times of Northwest Indiana - March 13th, 2022 [March 13th, 2022]
- White Hat Gaming new Gaming Corps partner European Gaming Industry News - European Gaming Industry News - March 13th, 2022 [March 13th, 2022]
- Churchill Downs bets on new location for Terre Haute casino - Shelbynews - March 8th, 2022 [March 8th, 2022]
- Time2play joins forces with Gamban to increase responsible gambling support - Gambling Insider - March 8th, 2022 [March 8th, 2022]
- Las Vegas Cop Charged In Weekend Casino Robbery, Suspected In Two Others - Oxygen - March 8th, 2022 [March 8th, 2022]
- "We're not closed to the idea that the metaverse could be a huge betting avenue" - Yogonet International - February 28th, 2022 [February 28th, 2022]
- Affilka adds UK-licensed The Phone Casino to its affiliate marketing platform - Yogonet International - February 19th, 2022 [February 19th, 2022]
- Legalized sports betting to soon be legal at Potawatomi Hotel & Casino - WISN Milwaukee - February 19th, 2022 [February 19th, 2022]
- Whats happening in South Jersey this weekend and beyond (Feb. 18-24) - nj.com - February 19th, 2022 [February 19th, 2022]
- An F1 Esports Racer Heads to Formula 2 Will Sports Always Take Precedence Over Esports? - Esports News UK - February 11th, 2022 [February 11th, 2022]
- "April was our only chance to ensure ICE would be able to run in 2022, which is our duty of care to the entire gaming industry" - Yogonet... - February 11th, 2022 [February 11th, 2022]
- iGB Affiliate London is 28% bigger than 2020 edition with 11-weeks to go - Casino Review - February 5th, 2022 [February 5th, 2022]
- Whats happening in South Jersey this weekend and beyond (Feb. 4-10) - nj.com - February 5th, 2022 [February 5th, 2022]
- News Gambling.com partners with US news giant to expand audience - OnlineBingo.co.uk - January 24th, 2022 [January 24th, 2022]
- GGRAsia Macau to have 6 casino licences, lasting 10 years: govt bill - GGRAsia - January 17th, 2022 [January 17th, 2022]
- Hard Rock leads in Indiana for the third month in a row with December's $32.4M revenue - Yogonet International - January 17th, 2022 [January 17th, 2022]
- State clears firm linked to Schenectady's Rivers Casino to begin mobile sports betting The Daily Gazette - The Daily Gazette - January 7th, 2022 [January 7th, 2022]
- 888 escapes ASA sanction over YouTube poker ads - Marketing regulation - iGaming Business - January 7th, 2022 [January 7th, 2022]
- Top 10 Casino Affiliate Programs for 2021 Big Money Makers - December 27th, 2021 [December 27th, 2021]