Look out, Scattered Spider. FBI pumps 'significant' resources into snaring data-theft crew

The FBI is applying "significant" resources to find members of the infamous Scattered Spider cyber-crime crew, which seemingly attacked a couple of high-profile casinos a few months ago and remains active, according to a senior bureau official.

The gang, a loose-knit group of teens and early-20s males thought to be based in the US and UK, is believed to be responsible for network intrusions at Caesars Entertainment and MGM Resorts.

Scattered Spider, like other online extortionists, breaks into the IT environments of victims, exfiltrates as much valuable data as possible, and then demands payment to keep a lid on that info and not leak or sell it.

MGM Resorts, which refused to pay the gang's ransom demand, suffered days of system outages and disrupted operations as a result of the intrusion, costing the corporation about $100 million. Caesars reportedly paid about $15 million, and didn't appear to suffer the same level of downtime as its fellow casino giant.

Scattered Spider has broken into at least 100 other organizations as of September 2023, according to Mandiant.

While the FBI wouldn't specify how many organizations have been caught in Scattered Spider's web, a senior FBI official told reporters during a Thursday press briefing that the agency is making “a significant effort on our part to address them, and we're putting significant resources against it."

"We urge organizations to share any information they may have on Scattered Spider, such as communication with actor groups, or benign samples of encrypted files, and report cyber intrusions," a senior US Cybersecurity and Infrastructure Security Agency (CISA) official said during the call with reporters. "It enables CISA and the FBI to assess the intrusion to identify techniques and share anonymous details broadly to help other organizations protect against this threat."

Also on Thursday, the FBI and CISA issued a joint advisory in response to the arachnid crew's criminal activity observed as recently as this month.

The advisory details social engineering tactics Scattered Spider uses to gain initial access to companies' networks. These include posing as IT or help-desk staff using phone calls or text messages to obtain login credentials from staffers or trick employees into running tools that grant the miscreants remote access to corporate computers.

Also in the guise of IT staff, the crew has convinced employees to reset their multi-factor authentication and pulled off repeated SIM swapping scams that convince cellular networks to transfer a target's phone number to a SIM card controlled by Scattered Spider. Once the gang controls that number, it can access MFA prompts and more easily compromise victim accounts.

• Scattered Spider traps 100+ victims in its web as it moves into ransomware
• MGM Resorts attackers hit personal data jackpot, but house lost $100M
• FBI smokes ransomware Hive after secretly buzzing around gang's network for months
• Feds hopelessly behind the times on ransomware trends in alert to industry

Once the gang gains network access, the criminals use legitimate tools to find and exfiltrate sensitive info. Samples of the stolen data are then offered to the victim as evidence of the theft, with the intent of extorting seven-figure sums to stop the spread of the pilfered files. Earlier this year, the crew began deploying ransomware malware in victims' environments, and at this point they may be an affiliate of the ALPHV/BlackCat ransomware-as-a-service operation.

Victim reporting is critically important

"And the only way that we're able to push this information out is when we get it from victims," the senior FBI official said. "Victim reporting is critically important for our ability to take enforcement action against actors such as these."

Both the advisory and the press briefing come as the FBI faces criticism for not moving fast enough to arrest the criminals despite many of them being based in the US, and their identities potentially known to law enforcement, according to a Reuters report.

The FBI official declined to comment on the ongoing investigation into Scattered Spider gang members.

"Just because you don't see actions being taken, it doesn't mean that there aren't actions that are being taken," the official said, citing recent takedowns against the Hive ransomware gang, Genesis Market, BreachForums, and Qakbot.

"There's a lot of things that we do behind the scenes," the official said. ®