September 27, 2023
The group behind casino hacks is skilled at tricking workers for access

(Bloomberg) — The hacking group suspected of cyberattacks against two giant casino operators has increasingly earned a name for its skills at social engineering, such as tricking someone into gaining access to a computer system or sensitive information.

Most read from Bloomberg

The group, known as Scattered Spiders and UNC3944, unleashed a web of chaos this week after launching a cyberattack on MGM Resorts International, according to five people familiar with the incident. The cyberattack resulted in websites and slot machines being shut down and staff having to manually check people into hotel rooms.

The same group was also behind the earlier attack on Caesars Entertainment Inc., according to the people. According to the two people, Caesars paid millions of dollars to hackers who broke into the company’s systems and threatened to release the data.

On Thursday, Caesars said in a regulatory filing that it discovered suspicious activity in its information technology network “as a result of a social engineering attack on an outsourced IT support vendor used by the company.” The identity of the seller could not be immediately known. “We have taken steps to ensure that stolen data is not removed by the unauthorized actor, although we cannot guarantee this outcome,” Kaiser said in the filing.

It is still unclear how the attackers entered MGM, with MGM declining to comment on details of the incident.

Read more: MGM, Caesars hacked by ‘Scattered Spider’ within weeks

They are “incredibly effective social engineers,” said Charles Carmakal, chief technology officer at Google Cloud’s Mandiant Inc., which has investigated the group in depth. He described the hacking group, which Mandiant first revealed in May 2022, as “one of the most prevalent and aggressive threat actors impacting organizations in the United States today.”

Scattered Spiders members are based in the US and Britain, with some as young as 19 years old, according to four cybersecurity researchers familiar with the group.

According to cybersecurity experts, hackers specialize in targeting call centers or IT help desks, impersonating legitimate customers or employees to trick support staff into accessing accounts. They are then able to penetrate deep into the corporate network and attempt to gain administrative privileges, which gives them broader access to the network.

A man reached via the social media app Telegram, who identified himself as a member of Scattered Spiders, said the group consists of less than 10 people, mostly friends, and has been involved in hacking since the age of 11.

The group chooses targets carefully, focusing on companies worth $15 billion to $45 billion, and they do not attack hospitals, oil refineries and power plants, the person said. The group’s objective was to get rich quick and get away with it, the person said.

Bloomberg News could not independently confirm the man’s identity or affiliation with the hacking group. However, three cybersecurity experts assessed that the Telegram user was linked to a hacking group.

Read More: Useless Slots, Cash Bars Haunt Casino Goers After MGM Hack

According to Carmakal, Scattered Spider had previously deployed a type of ransomware known as ALPHV to extort victims. Ransomware is a type of malware that locks the victim’s files and the hackers demand payment to unlock them.

ALPHV is also the name of a hacking group that has developed ransomware, which it leases to others – known as affiliates – for a fee. ALPHV was first detected in November 2021. According to Microsoft Threat Intelligence, ALPHV uses a programming language called Rust, which helps it evade traditional cybersecurity detection measures and makes it harder for incident responders to reverse engineer the attackers’ malware code.

The FBI said in April 2022 that ALPHV ransomware was used in at least 60 attacks worldwide.

Brett Callow, a threat analyst at cybersecurity company Emsisoft, said ALPHV is likely Russia-based. He is among experts who believe the group evolved from earlier Russian hacking organizations that disbanded after several high-profile ransomware attacks, including the 2021 ransomware attack on the Colonial Pipeline company.

In a statement posted on the group’s dark web page on Thursday, ALPHV said it deployed the ransomware on MGM servers after company representatives did not respond to its ransom request. The group deployed the ransomware on September 11, the statement said, adding that they still had access to some of MGM’s infrastructure. According to the statement, claims that teenagers from America and Britain entered MGM are mere rumours.

An MGM spokesperson did not immediately respond to a request for comment on ALPHV’s claims.

Cyber ​​security company Cygnvs Inc. Alex Weintraub, an incident responder at Cybersecurity Inc., said he has interacted directly with ALPHV about 25 times since 2021 on behalf of hacked companies calling the cyber insurance company for help.

The group’s ransom demands are everywhere, he said. “There is no pattern,” Weintraub said, adding that he has been able to reduce ransom demands by 70%.

The exact nature of the relationship between the scatter spider and ALPHV is not known.

However, a representative of Scattered Spiders said that the groups have worked together many times and that Scattered Spiders is grateful for ALPHV’s help in attacks on some companies. The guy claimed that Scattered Spiders and ALPHV were just getting started.

Most Read from Bloomberg Businessweek

©2023 Bloomberg LP


Leave a Reply

Your email address will not be published. Required fields are marked *