Scattered Spider Casino Hackers Evade Arrest in Plain Sight

The feds seem to know all about the hacking group brazenly breaking into corporate networks; so why are enterprise teams left on their own to stop their cybercrimes?

Spiders
Source: Design Pics Inc. via Alamy Stock Photo

Threat intelligence analysts, incident responders, and federal law enforcement alike all seem to know all about the threat group with an array of monikers — The Com, Scattered Spider, Muddled Libra, UNC3944, Starfraud, and Octo Tempest, among others. So why is the group (which was behind the MGM Resorts and Caesars Entertainment hacks) still successfully attacking US organizations with impunity, with no disruptions to date?

This week, reports confirmed that federal law enforcement is well aware of the identities of the cybercrime group, which is made up of native English speakers, yet has not been able to make any arrests. In fact, sources confirmed to Reuters that law enforcement has known the identities of the Scattered Spider hacking collective for more than six months.

Cybersecurity threat hunters like CrowdStrike's president Michael Sentonas struck a decidedly baffled tone, noting that the fact that the ransomware group is still operational and causing "havoc" is a "failure of "law enforcement."

FBI Advisory on Scattered Spider

The feds did offer some response: On Nov. 16, the FBI and CISA released an advisory on Scattered Spider, providing indicators of compromise (IoCs) and additional details to arm enterprise security teams with details to defend their networks.

"FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on the threat actor activity and to reduce the risk of compromise by Scattered Spider threat actors," the advisory said. It included a list of recommendations, including application controls, remote access tool auditing, and implementing FIDO/WebAuthn authentication or public key infrastructure (PKI)-based multifactor authentication (MFA).

While helpful, if there's so much information about the group's cybercrimes, it doesn't answer why members of the ransomware group haven't simply been arrested, or at the very least, their operation disrupted, some note.

Hackers Getting More Aggressive With Threats of Violence

Like most things sitting at the intersection of corporate America and law enforcement, many of the details remain protected in secrecy. However, the effects of the group running rampant through public company networks like MGM Resorts are well known.

"UNC3944 is one of the most prevalent and aggressive threat actors impacting organizations in the United States today," says Charles Carmakal, Mandiant Consulting CTO at Google Cloud. "They are incredibly disruptive."

And the group appears to be committing cybercrimes with impunity all the time, even branching out into threats of physical violence. Microsoft researchers explained in their analysis of the group, which they call Octo Tempest, that it uses fear for personal safety to pressure victims into paying.

"In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts," Microsoft's Incident Response and Threat Intelligence teams said in their report. "These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access."

Mountains of Data on Scattered Spider

The sheer volume of details published by analysts about the group is dizzying. Scattered Spider was first flagged back in 2022 when it would leverage the Oktapus phishing kit to steal credentials. The group successfully dallied in SIM swaps but seems to have hit its stride in mid-2023, when it became an affiliate of the ransomware-as-a-service provider BlackCat, aka Alphv.

Steadily ramping up their skills, the group's members eventually added a clever new social engineering angle: calling into help desks to reset credentials and take over verified accounts as an initial foothold into target environments. That's the gambit the Scattered Spider crew ultimately used to compromise MGM Resorts and hobble Las Vegas Strip operations for more than a week, running up losses in the hundreds of millions of dollars for MGM Resorts alone. The group simultaneously breached Caesars and quickly negotiated a $15 million ransom payment.

Mandiant's Carmakal says that the group should see more scrutiny in the wake of those two incidents: "They have recently gained a lot of attention because of their recent targeting of hospitality and entertainment organizations."

Law Enforcement Grapples With Cybercrime

Federal authorities aren't sharing any details of the investigation into Scattered Spider, but cybersecurity industry insiders suspect traditional law enforcement entities like the FBI are having a hard time adapting to chasing cybercriminals.

"Law enforcement is more accustomed to working groups with more structure and organization, and are struggling with the return of more chaotic and loosely coupled threat actors," Bugcrowd founder Casey Ellis says.

In fact, the FBI's inability to disrupt hacking groups like Scattered Spider could be an issue for some time to come, according to Callie Guenther, senior manager at Critical Start.

"The FBI's struggle to contain this group also highlights the broader challenges faced by law enforcement in the digital age," Guenther says. "The case of 'Scattered Spider' is indicative of a new era of cyber threats where criminal groups employ aggressive tactics, including threats of physical violence. This escalation in criminal strategies requires an equally robust and innovative response from law enforcement and cybersecurity experts."

For now, it appears it's up to individual enterprise teams to stop Scattered Spider from hobbling their networks. In the meantime, the cybersecurity community will continue to collect details on their exploits and wait for arrests.

About the Author

Becky Bracken, Senior Editor, Dark Reading

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights