Scattered Spider

 
 

Who Is scattered spider?

Scattered Spider, also known as UNC3944 or Starfraud, is a hacking group that emerged in May 2022. The group is composed primarily of young individuals, aged 19 to 22, from the United States and the United Kingdom. They gained significant notoriety for their cyberattacks on high-profile targets such as MGM Resorts and Caesars Entertainment in 2023.

The group is highly proficient in social engineering tactics, which involve manipulating individuals into divulging confidential information. Their methods include phishing, SIM swapping, and exploiting multi-factor authentication fatigue. By using these techniques, they manage to obtain login credentials and bypass security measures to gain unauthorized access to systems.

In their attacks on MGM and Caesars, Scattered Spider was able to access internal systems by posing as employees and tricking help desk personnel. They leveraged this access to deploy ransomware and extract sensitive data, which they then used for extortion. Caesars reportedly paid a ransom of $15 million to mitigate the attack.

In early September 2023, Okta disclosed that four of its customers were compromised in a social engineering campaign by the Scattered Spider hacking group. The attackers tricked IT service desk personnel into resetting multi-factor authentication (MFA) factors for highly privileged users. This allowed the hackers to gain super administrator privileges, manipulate Active Directory, and impersonate users within the compromised organizations. The campaign highlighted the vulnerabilities in identity and access management systems and emphasized the need for enhanced security measures and vigilance against social engineering attacks (TechTarget).

Scattered Spider's activities are not limited to the casino industry; they have also targeted financial services firms, using similar social engineering techniques to conduct their attacks. The group has shown resilience and adaptability, posing a unique challenge to law enforcement agencies like the FBI and CISA, which are actively working to track and dismantle their operations.

Scattered Spider's recent activities also include deploying ransomware to maximize their extortion efforts. They have been linked to the BlackCat/ALPHV ransomware gang, and their attacks typically result in significant operational disruptions for the victims.

Despite increased efforts by law enforcement agencies like the FBI and CISA to crack down on the group, Scattered Spider continues to operate actively. The FBI has been working on bringing charges against members of the group, even those underage, by leveraging state and local laws to ensure justice​ (ITPro)​.

In early 2024, Scattered Spider integrated into RansomHub's arsenal. This collaboration enhances RansomHub's ability to conduct high-impact ransomware attacks, as seen in recent incidents involving major organizations (Dark Reading).

What Techniques ared used by the group?

Scattered Spider employs a variety of sophisticated social engineering techniques to achieve their objectives. Here are some of the key methods they use:

  • Phishing and Smishing: The group sends phishing emails and SMS messages (smishing) to trick victims into clicking on malicious links or providing sensitive information. These messages often lead to fake login pages designed to capture credentials​ (The Record from Recorded Future)​​ (ITPro)​.

  • SIM Swap Attacks: This technique involves convincing a mobile carrier to transfer a victim’s phone number to a SIM card controlled by the attackers. This allows them to intercept two-factor authentication (2FA) codes sent via SMS, thereby gaining access to accounts protected by 2FA​ (Splunk)​​ (The Record from Recorded Future)​.

  • MFA Fatigue Attacks: The attackers bombard the victim with numerous multi-factor authentication (MFA) requests, hoping the victim will eventually approve one out of frustration or confusion. This technique is used to bypass MFA protections​ (Splunk)​​ (The Record from Recorded Future)​.

  • Impersonation and Help Desk Exploitation: Scattered Spider members impersonate employees and contact IT help desks, requesting password resets or MFA token resets. They often use personal information gathered from previous breaches to answer security questions and convince help desk personnel to grant them access​ (The Record from Recorded Future)​​ (ITPro)​.

  • Creating Lookalike Domains: The group registers domains that closely resemble those of their targets. These domains are used to host fake login pages that trick employees into entering their credentials, which are then harvested by the attackers​ (ITPro)​.

  • Exploitation of Publicly Available Tools: They use legitimate remote monitoring and management (RMM) tools like Fleetdeck.io and Level.io to establish and maintain a foothold in victim networks. These tools allow them to conduct their activities under the guise of normal network operations​ (Splunk)​​ (The Record from Recorded Future)​.

  • Living Off the Land: Scattered Spider uses legitimate software and tools available within the target’s environment to avoid detection. This approach minimizes their footprint and makes their activities harder to distinguish from normal operations​ (The Record from Recorded Future)​.

These techniques highlight the group's proficiency in manipulating human behavior and exploiting trust within organizations, making them a particularly challenging adversary for security teams.

What is law enforcement doing about the group?

As of now, only one member of the Scattered Spider hacking group has been arrested. This individual, 19-year-old Noah Urban from Florida, was charged with wire fraud in January 2024. The FBI has indicated that there are ongoing efforts to charge more individuals associated with the group, which includes both adult and juvenile members. The agency is leveraging state and local laws to bring these individuals to justice effectively​ (ITPro)​​ (Carrier Management)​.

In June 2024, Tyler Buchanan, a 22-year-old UK hacker linked to the Scattered Spider cybercrime group was arrested in Palma de Mallorca, Spain, while attempting to board a flight to Italy. The arrest, involving cooperation between the FBI and Spanish Police, identified the individual as a SIM swapper known as "Tyler." Scattered Spider, also known as UNC3944, is known for sophisticated social engineering attacks, ransomware, and data theft. (The Hacker News, Krebs on Security)

More information

CISA’s Security Advisory on Scattered Spider

Feds Charge Five Men in “Scattered Spider” Roundup - Krebs on Security