MGM and Caesars hackers: who are they?

MGM Resorts International and Caesars Entertainment were both reportedly hit by the same hacker group called Scattered Spider. Cybernews asked cybersecurity experts for more details about the gang.

Two Las Vegas strip behemoths, MGM and Caesars, recently fell victim to a hacker attack. MGM was forced to shut down systems across all of its 31 resorts, while Caesars tried avoiding a similar fate by paying attackers millions of dollars.

Reportedly, both attacks were carried out by a hacker gang made up of US and UK-based individuals that cybersecurity experts call Scattered Spider, Roasted 0ktapus, UNC3944, or Storm-0875.

The group is relatively new, having been active since May 2022, JP Castellanos, director of threat intelligence for security firm Binary Defense, told Cybernews. Though it’s a relative newcomer, the gang has been on the radar of cybersecurity experts.

“Their social engineering techniques are very sophisticated, and they are known for voice phishing help desks, call centers, and even security operations centers (SOCs) to gain initial access.”

Erwin said.

Scattered Spider’s tactics

The gang falls under the “financially motivated” category, meaning monetary gain, not intelligence gathering, is the group’s primary goal. To profit from cybercrime, Scattered Spider employs several notable tactics.

“They use various social engineering tactics. For instance, it was reported that Caesars was compromised by a social engineering attack they carried out on the IT help desk. They also conduct Telegram and SMS phishing, SIM swapping, MFA fatigue, and other tactics as part of their attacks,” Castellanos explained.

Even though the gang is relatively new, its social engineering attacks are very mature, Steven Erwin, senior security consultant at cybersecurity firm TrustedSec, explained.

“Their social engineering techniques are very sophisticated, and they are known for voice phishing help desks, call centers, and even security operations centers (SOCs) to gain initial access,” Erwin told Cybernews.

To establish initial access, gang members would flood a victim with multi-factor authentication (MFA) requests, hoping the target would eventually coerce the victim into confirming their identity via notification.

Hackers would also target a company’s help desk with voice phishing, posing as employees of the target firm. The attack aims to convince a help desk worker to restore a password, allowing attackers to hijack an account. A similar tactic was reportedly employed to target MGM and Caesars.

Targets and modus operandi

Like many other cybercriminal collectives, Scattered Spider members often try spear-phishing attacks to convince specific targets to visit a malicious web page and enter their user credentials, said Carlos Perez, research practice lead at TrustedSec.

“Once they have a credential or are able to steal tokens, they have shown proficiency in pivoting and abusing cloud infrastructure,” Perez told Cybernews.

The gang would also target access tokens and one-time passwords (OTPs) to bypass authentication and penetrate target devices. According to Castellanos, once the gang penetrates the network, it swiftly steals data or installs ransomware.

However, the gang employs other tactics, such as abusing known vulnerabilities, for instance CVE-2015-2291, an Intel Ethernet diagnostics driver for Windows denial-of-service bug.

“Scattered Spider has largely been observed targeting telecommunications and Business Process Outsourcing (BPO) organizations. However, recent activity indicates that this group has started targeting other sectors, including critical infrastructure organizations and now gambling and leisure organizations,” Castellanos said.

ALPHV/BlackCat connection

Scattered Spider is a known affiliate of the infamous ALPHV/BlackCat ransomware gang, Erwin said. Attackers recently posted a lengthy description of the MGM attack on ALPHV’s dark web blog.

However, strictly speaking, this does not equate Scattered Spider with the better-known ransomware gang: extortion cartels distribute tasks, with some individuals developing malware and others employing it for attacks.

While currently Scattered Spider is affiliated with ALPHV/BlackCat, Quorum Cyber report indicates that the gangs’ hackers have used other strains such as Cuba ransomware.

So far, there’s no indication of the hackers’ identities. However, experts believe some members of the group are as young as 19 years old.

Even though attackers are supposedly inexperienced, Charles Carmakal, chief technology officer at Alphabet’s Mandiant Intelligence, told Reuters the group is “one of the most prevalent and aggressive threat actors impacting organizations in the United States today.”

ALPHV/BlackCat, however, disputed researcher claims regarding the age of Scattered Spider members.

What is ALPHV/BlackCat ransomware?

ALPHV/BlackCat ransomware was first observed in 2021. Like many others in the criminal underworld, the group operates a ransomware-as-a-service (RaaS) business, selling malware subscriptions to criminals.

The gang was noted for its use of the Rust programming language. According to an analysis by Microsoft, threat actors that began deploying it were known to work with other prominent ransomware families such as Conti, LockBit, and REvil.

The FBI believes that money launderers for the ALPHV/BlackCat cartel are linked to the Darkside and Blackmatter ransomware cartels, indicating that the group has a well-established network of operatives in the RaaS business.

Lately, ALPHV/BlackCat has been among the most active ransomware gangs. According to cybersecurity analyst ANOZR WAY, the group was responsible for approximately 12% of all attacks in 2022.