Cybercrime , Fraud Management & Cybercrime , Ransomware
Will Arrests Squash Scattered Spider's Cybercrime Assault?
Members of Loosely Organized Group Recently Tied to Partnership With RansomHubWill the indictment of five alleged members of the loosely affiliated "Scattered Spider" cybercrime group disrupt its wider activities?
See Also: How UK government can continue to innovate while reducing tech costs
The U.S. Department of Justice unsealed Wednesday an indictment against four accused U.S. members - two each in Texas and one each in Florida and North Carolina - and said the latter two are in custody. Spanish police in May arrested another suspect, 22-year-old Scottish national Tyler Robert Buchanan. Federal prosecutors are seeking his extradition.
The FBI said it has tied the five indicted suspects to the targeting of at least 45 companies based in the U.S. and abroad, including Canada, the U.K. and India.
The men are all suspected members of Scattered Spider, which since emerging in mid-2022 has collectively attacked many more organizations - at least 130 - including MGM Resorts, Clorox and potentially the cryptocurrency trading platform Coinbase Global.
Scattered Spider is known for tricking help desks using their native English-speaking skills, running SIM-swap and phishing attacks, overwhelming targets with multifactor authentication push requests, and demanding massive ransoms from victims.
Part of the challenge when defending against the group is that its membership appears to be largely compromised of Western individuals launching domestic attacks.
"Scattered Spider is hard to disrupt," said Ian Thornton-Trump, CISO of cybersecurity solutions provider Inversion6, which is part of global managed services provider TRG. "In general, these are English-speaking, gifted social engineers, who rather than becoming very successful sales and marketing professionals selling cybersecurity solutions - or really anything else - decided to use their skills to socially engineer their way into some of the largest companies in the world."
The group has a reputation for using a multi-layered approach. In the case of MGM Resorts, "rather than using basic email phishing, the attackers took things a step further to make their attack look more convincing," said William Wright, CEO of Scottish penetration testing firm Closed Door Security. "They tracked an employee on LinkedIn and then contacted an IT help desk worker requesting a password reset. Once the new password was secured, they then conducted an MFA fatigue attack, which was enough to grant them system access."
Scattered Spider appears to know no ethical bounds. One member allegedly perpetrated the February attack earlier against Change Healthcare, part of UnitedHealth Group, that left its systems infected with ransomware from Russia-based partner ALPHV, a.k.a. BlackCat. When UHG paid a ransom to ALPHV reportedly worth $22 million, rather than giving its Western Scattered Spider affiliate their pre-agreed cut, the operators shut down, keeping the entire ransom for themselves. In response, the Western affiliate began shaking down UHG a second time, threatening to leak stolen data. Whether the business has paid any further ransoms remains unclear. What is clear is the massive disruption and risk the healthcare organization and its patients continue to face (see: Change Healthcare Attack Cost Estimate Reaches Nearly $2.9B).
Given the sheer disruption Scattered Spider has been causing, "at the upper echelon where business meets politics, the pressure on law enforcement to 'do something about these guys' is likely to be immense," Thornton-Trump said. "It's an all-out effort by international law enforcement against this group because they have proven to be so unbelievably dangerous."
Scattered Spider's Fast Moves
That danger may continue, as members of Scattered Spider appear to have recently partnered with up-and-coming ransomware operation RansomHub.
Cybersecurity firm Reliaquest said an intrusion it attributed to Scattered Spider involved an attacker rapidly navigating through a manufacturing organization's SharePoint and ESXi environments before unleashing RansomHub's crypto-locking malware.
"The attacker gained initial access to two employee accounts by carrying out social engineering attacks on the organization's help desk twice," ReliaQuest said in a blog post. "Within six hours, the attacker began encrypting the organization's systems."
Low-Complexity Attacks
Security experts trace Scattered Spider to the cybercrime community that calls itself "The Community," aka the Com or Comm, which in recent years also spawned the likes of Lapsus$ and Oktapus, aka 0ktapus. While the groups' members don't necessarily overlap, many of their tactics, techniques and procedures are similar, and often not technically sophisticated (see: Rising Ransomware Issue: English-Speaking Western Affiliates).
Nevertheless, their takings have been immense. The FBI said Buchanan at one time controlled at least 391 bitcoins, currently worth $30 million. The bureau analyzed digital forensic copies of 20 systems seized from Buchanan by Police Scotland in 2023. His alleged efforts involved domain names registered to resemble legitimate company URLs, the use of a phishing kit anyone can rent to help automate credential theft and "SIM-swapping and social engineering" schemes.
Those tactics mirror the findings of a report into Lapsus$ and similar groups published by the public-private U.S. Cyber Safety Review Board last year, which found they succeeded by using relatively simple attacks that often took advantage of organizations' authentication shortcomings, as well as cellular carriers' poor defenses against SIM-swapping attacks (see: Cyber Review: Teens Caused Chaos With Low-Complexity Attacks).
Open Questions
Will the U.S. indictments and arrests finally squash Scattered Spider? Charles Carmakal, CTO of Google Cloud's Mandiant, said the arrests have "over time significantly hampered the group's fast-paced tempo this year." Spanish police said that based on evidence shared by the FBI, the Scottish suspect they arrested was a key member of Scattered Spider.
"We hope this sends a message to the other actors they collaborate with that they aren't immune to consequences," Carmakal said.
As previous cybercrime crackdowns have highlighted, deterrence isn't a complete strategy, not least given the massive illicit profits that teenagers and young adults with a high tolerance for risk - or having a base in Russia - can continue to achieve. The influx of new players seems to remain constant.
Any disruption of these groups by law enforcement is welcome and necessary. But one open question remains: how many key members of Scattered Spider might remain at large? The risk such groups pose has been well-documented, not least by the CSRB. Better defenses remain key to ensure organizations never fall victim to the smooth-talking, low-complexity attacks in which these types of criminals specialize.