Scattered Spider
NicknameUNC3944
Scatter Swine
Muddled Libra
Formationc. May 2022
TypeHacker group
PurposeRansomware, cyberattacks
Region
United States and United Kingdom
MethodsSocial engineering, Ransomware as a service, Password cracking
AffiliationsALPHV

Scattered Spider, also referred to as UNC3944, Scatter Swine or Muddled Libra,[1] is a hacking group mostly made up of individuals aged 19 to 22 as of September 2023. The group, whose name was first tagged by cybersecurity researchers, gained notoriety for hacking Caesars Entertainment and MGM Resorts International, two of the largest casino and gambling companies in the United States. Scattered Spider is believed to be primarily made up of operatives based in both the United States and the United Kingdom. This has not been substantiated.[2][3]

Early history

Scattered Spider is believed to have been founded in May 2022, when the group was focused on attacks on telecommunications firms. The group utilized SIM swap scams, multi-factor authentication fatigue attacks, and phishing by SMS and Telegram.[1] The group typically exploited the security bug CVE-2015-2291, a cybersecurity issue in Windows' anti-DoS software,[4] to terminate security software, allowing the group to evade detection. The group is believed to have a deep understanding of Microsoft Azure, the ability to conduct reconnaissance in cloud computing platforms powered by Google Workspace and AWS, and utilizes legitimately-developed remote-access tools.[1]

The group later became known for targeting critical infrastructure prior to moving on to its 2023 casino hacks.[5]

2023 casino hacks

Scattered Spider gained access to both Caesars' and MGM's internal systems through the use of social engineering. The group was able to bypass multi-factor authentication technologies by attaining login credentials and one-time passwords.[6][7] The group claims that it targeted MGM due to them catching the group attempting to rig slot machines in their favor.[8]

Caesars hack

Caesars Entertainment paid a ransom of $15 million to Scattered Spider, half their original demand of $30 million. Scattered Spider, using similar tactics to its attack on MGM, was able to access driver's license numbers and possibly Social Security numbers, for a "significant number" of Caesars customers.[2][9] Statements made by Caesars noted that while the company cannot guarantee the deletion of the information attained by Scattered Spider, the casino operator will take all necessary actions to attain such result.[2]

Sources dispute on whether Scattered Spider was the group which targeted Caesars, with some believing it was the British-American group while others say the perpetrators were not the group or unknown.[10][11][8]

MGM Resorts hack

Scattered Spider collaborated with ALPHV, a software development team which provides ransomware as a service. Scattered Spider called MGM's help desk posing as an employee it found on LinkedIn to gain internal access. The group gained access on September 11, 2023.[6]

MGM Resorts first disclosed the cyberattack on September 12, 2023, in a Form 8-K report with the SEC the next day.[12][13] The company stated that though it has "dealt" with the cyberattack, many of the computer systems at its resorts remain offline, which include but are not limited to credits for food, beverages, and free credits. The attack further disabled on-site ATMs as well as remote room keys, and prevented MGM from charging patrons for parking.[7]

Aftermath

MGM and the US FBI are presently investigating the cyberattack, and the casino operator temporarily took down its website.[3] Moody's Corporation has stated that due to MGM's heavy reliance on computers for much of its operations, its credit rating could go down as a result of the cyberattack.[5] Upon the announcement of both companies' attacks, the stock prices for both Caesars and MGM dropped.

Both MGM and Caesars were sued in class action lawsuits following the hacks, with all stating that the failure for both of the casino operators to adequately secure their data constituted breach of contract. The law firms' clients also all demanded jury trials.[14][15]

References

  1. 1 2 3 "Scattered Spider: The Modus Operandi". www.trellix.com. Retrieved September 14, 2023.
  2. 1 2 3 "Caesars Entertainment says it was also a victim of a cyberattack". NBC News. September 14, 2023. Retrieved September 14, 2023.
  3. 1 2 Bracken, Becky (September 14, 2023). "'Scattered Spider' Behind MGM Cyberattack, Targets Casinos". Dark Reading. Retrieved September 14, 2023.
  4. "CVE-2015-2291 : (1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows all". www.cvedetails.com. Retrieved September 14, 2023.
  5. 1 2 "MGM Resorts breached by 'Scattered Spider' hackers: Sources". Business Insurance. Retrieved September 14, 2023.
  6. 1 2 Siddiqui, Zeba; Bing, Christopher; Bing, Christopher (September 13, 2023). "MGM Resorts breached by 'Scattered Spider' hackers: sources". Reuters. Retrieved September 14, 2023.
  7. 1 2 "Young hackers are sticking up Las Vegas casinos for hefty ransoms". Quartz. September 14, 2023. Retrieved September 14, 2023.
  8. 1 2 Srivastava, Mehul (September 14, 2023). "MGM hack followed failed bid to rig slot machines, 'Scattered Spider' group claims". Financial Times. Retrieved September 15, 2023.
  9. "Caesars Entertainment says it was also a victim of a cyberattack". NBC News. September 14, 2023. Retrieved September 14, 2023.
  10. Murphy, Aislinn (September 13, 2023). "Caesars Entertainment reportedly paid ransomware demand". FOXBusiness. Retrieved September 15, 2023.
  11. Gendron, Will. "MGM Resorts is still suffering from a massive outage after a notorious group of young hackers apparently tricked workers into handing over access to the company's network". Business Insider. Retrieved September 15, 2023.
  12. "Investors - Financial Info - SEC Filings - SEC Filings Details". investors.mgmresorts.com.
  13. https://d18rn0p25nwr6d.cloudfront.net/CIK-0000789570/a390c443-0c40-4025-aba2-74505ab3c9e3.pdf
  14. "Complaints filed say MGM Resorts, Caesars Entertainment failed to protect information from cyberattack". Channel 13 Las Vegas News KTNV. September 26, 2023. Retrieved September 26, 2023.
  15. Croft, Daniel (September 26, 2023). "5 class actions launched against MGM, Caesars". www.cybersecurityconnect.com.au. Retrieved September 26, 2023.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.