FBI struggled to disrupt dangerous casino hacking gang, cyber responders
say
Send a link to a friend
 [November 14, 2023]
By Zeba Siddiqui, Christopher Bing and Raphael Satter
SAN FRANCISCO/WASHINGTON (Reuters) - The U.S. Federal Bureau of
Investigation (FBI) has struggled to stop a hyper-aggressive cybercrime
gang that's been tormenting corporate America over the last two years,
according to nine cybersecurity responders, digital crime experts and
victims.
For more than six months, the FBI has known the identities of at least a
dozen members tied to the hacking group responsible for the devastating
September break-ins at casino operators MGM Resorts International and
Caesars Entertainment, according to four people familiar with the
investigation.
Industry executives have told Reuters they were baffled by an apparent
lack of arrests despite many of the hackers being based in America.
"I would love for somebody to explain it to me," said Michael Sentonas,
president of CrowdStrike, one of the firms leading the response effort
to the hacks.
"For such a small group, they are absolutely causing havoc," Sentonas
told Reuters in an interview last month.
Sentonas said the hackers were "known" but didn't provide specifics. He
did say, "I think there is a failure here." Asked who was responsible
for the failure, Sentonas said, "law enforcement."
The FBI has said it is investigating the gaming company hacks, but a
spokesperson for the agency declined to comment on the larger group
responsible or where the investigation stands. A spokesman for the
Department of Justice also declined to comment.
For more than six months, the FBI has known the identities of at least a
dozen members tied to the hacking group responsible for the devastating
September break-ins at casino operators MGM Resorts International and
Caesars Entertainment, according to four people familiar with the
investigation.
Dubbed by some security professionals as "Scattered Spider," the hacking
group has been active since 2021 but it grabbed headlines following a
series of intrusions at several high profile American companies.
The MGM breach disrupted operations at its casinos and hotels for days
and cost the company roughly $100 million in damages, it said in a
regulatory filing last month. Caesars paid around $15 million in ransom
to regain access to its systems from the hackers, according to reporting
by the Wall Street Journal.
Neither company responded to a request for comment.
CrowdStrike, Alphabet's Mandiant, Palo Alto Networks, and Microsoft are
among the main American cybersecurity firms responding to private
company breaches by the hackers. Some have been collecting evidence
leading to the hackers' identities and are assisting law enforcement,
according to the five insiders.
The sources say that, following the September casino hacks, the FBI's
investigation took on new urgency. FBI officials first began looking at
the hackers' operations more than a year ago.
Security analysts tracking the breaches, meanwhile, have found a range
of victims across nearly every industry – starting with telecoms and
outsourcing firms to healthcare and financial service companies.
In total, roughly 230 organizations have been hit since the beginning of
last year, according to a tally by the Baltimore, Maryland-based
cybersecurity firm ZeroFox, which has helped Caesars contain the
fallout.
ZeroFox’s Chief Executive James Foster attributed law enforcement’s
sluggish response to a lack of manpower. Over the last several years,
numerous press reports have suggested the bureau is losing many of its
best cyber agents to the private sector, who offer them higher salaries.
"Law enforcement, certainly at the federal level, has all the tools and
resources they need to be successful in going after cyber criminals,"
Foster said. "They just don't have enough people."
Another challenge has been the hesitancy of many victims to cooperate
with the FBI. One of the sources, an executive involved with defending
against the hackers, who declined to be named citing client
confidentiality, said "several" victim companies never informed the
bureau they were compromised – meaning prosecutors lost the chance to
acquire potentially important evidence.
[to top of second column]
|
An exterior view of MGM Grand hotel and casino, after MGM Resorts
shut down some computer systems due to a cyber attack in Las Vegas,
Nevada, U.S., September 13, 2023. REUTERS/Bridget Bennett/File Photo
This instinct to hide an intrusion isn't unusual, an ex-FBI official
who requested anonymity and previously worked on ransomware
investigations told Reuters.
"What I encountered working on the ransomware stuff is basically
nine out of 10 times the company did not want to cooperate," the
ex-official said.
A third challenge has been the loose-knit nature of the group, which
is made up of small clusters of individuals who collaborate
on-and-off on specific jobs. The gang’s murky structure helped earn
it the "Scattered" nickname, as well as another industry moniker,
"Muddled Libra," among researchers.
For example, the crew behind the casino job calls itself "Star
Fraud," according to two analysts. It is part of a larger hacker
collective made up of mostly young cybercriminals who use the name
"The Com" as a slang for their community.
Most of the group's members are based in Western countries,
including the United States, cybersecurity companies say. They
typically discuss hacking projects in shared chat channels on social
messaging apps, namely Telegram and Discord, which is popular with
gamers.
A Telegram spokesperson did not respond to a request for comment on
the hackers. A Discord spokesman declined to comment on them, but
said the platform bars illegal activity and takes steps including
banning or shutting down groups or users that engage in such
practices.
Historically, the group's amorphous shape made it difficult for the
FBI to coordinate internally across its many field offices around
the country, said three people familiar with the matter. For months,
numerous field offices were each independently investigating
individual hacks launched by the same group but were not immediately
aware of their connection, delaying the process.
Recently, the FBI's Newark, New Jersey field office has been
handling an investigation into the hacking group and is making
progress, according to those three people, who did not provide
details. They added that a new special agent have been assigned to
the case.
In recent months, meanwhile, alarming details of The Com’s
aggressive tactics have come into public view. Its members are
engaged in a range of illicit schemes, from sextortion and
ransomware to phone-based scams and paying people to commit physical
violence - also known as 'violence-as-a-service.'
In a report published by Microsoft late last month, the tech firm
quoted Scattered Spider-linked hackers as threatening to kill
employees of a victim organization unless they coughed up passwords.
"If we don't get ur…login in the next 20 minutes were sending a
shooter to your house (sic)," one of the messages read. Another
followed saying: "ur wife is gona get shot if you dont fold it."
Reuters' attempts to contact the hackers for this story were not
successful.
"I think they are pathological," Kevin Mandia, the founder of
Mandiant, said in an interview in September. "We have seen how they
interact with victim companies. They are ruthless."
Mandia didn't respond directly when asked whether Scattered Spider's
identities were known to law enforcement. But he did say that there
was no excuse for not arresting hackers who operated from the West.
"If they're in democratized nations that work with the international
community, you've got to catch them," he said.
(Reporting by Zeba Siddiqui in San Francisco, and Raphael Satter and
Christopher Bing in Washington; editing by Chris Sanders and Claudia
Parsons)
[© 2023 Thomson Reuters. All rights
reserved.]This material
may not be published, broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content.
 |
