CISA and FBI warn of Scattered Spider’s expertise in social engineering and SIM swapping


Top U.S. cybersecurity officials issued a stark warning Thursday about a group of hackers who have disrupted some of the country’s largest companies through social engineering and other tactics.

The hacker group Spider scattered – also known by various other names, including Starfraud, UNC3944, Scatter Swine and Muddled Libra – has made headlines in recent months for alleged attacks on casino giants. MGM Resorts And Caesars Entertainment.

In an opinion and press roundtable on Thursday, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) added to the list research done by cybersecurity experts on the functioning of the group.

Top FBI officials have remained tight-lipped about the accuracy of rumors that Scattered Spider had members in the United States and the United Kingdom and declined to say how many victims of the group have come forward.

But FBI officials made indirect references to several recent law enforcement operations targeting hacking groups in recent months and said the FBI was involved in an “ongoing investigation” into the group and could not comment on possible arrests.

“If you look at some of the things we’ve done over the last year, from Hive to Genesis Market, to BreachForums and the arrest we had, and then to Quakbot, just because you don’t see any actions taken. That doesn’t mean no action is being taken,” senior FBI officials said. “So there are a lot of things we’re doing behind the scenes.”

In the appeal and notice, the FBI and CISA supported previous reports that Scattered Spider had become an expert in manipulating employees into handing over sensitive credentials or access to accounts by posing as help desk employees and IT managers.

The group uses various tactics, including phishing, push bombing and SIM swap attacks, to gain access before exfiltrating data. In recent months, the group has also deployed AlphV/Black Cat ransomware in attacks.

Officials said the council and roundtable were part of a U.S. government effort to “increase pressure” on ransomware gangs. They also urged more victims to come forward, explaining that the more information they are able to gather, the more likely they are to detect the group’s mistakes and potentially stop them in the future.

The FBI official noted that after the operation to dismantle the Hive ransomware gang’s infrastructure, they discovered that only about 20% of the group’s victims came forward, illustrating the profound lack of information the government on the scale of the ransomware problem. .

The advisory – which was compiled from FBI investigations as recently as this month – states that Scattered Spider launched multiple attacks against commercial facilities sectors and sub-sectors.

“Scattered Spider is a cybercriminal group that targets large companies and their contracted IT support services,” they wrote.

“Scattered Spider threat actors are considered experts in social engineering and use several social engineering techniques, particularly phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or circumvent multi-factor attacks. authentication (MFA).

Group members were able to convince employees of victimized companies to use commercial remote access tools or share one-time passwords.

In other cases, they sent multiple notifications asking employees to simply press the “Accept” button or convinced mobile carriers to transfer control of a targeted user’s phone number to a SIM card that they were in control.

In several cases, hackers exfiltrated data and threatened to release it without ever deploying ransomware.

“Once persistence is established on a target network, Scattered Spider threat actors often perform discovery, specifically looking for SharePoint sites, credential storage documentation, VMware vCenter infrastructure, backups, and instructions for setting up/connecting to Virtual Private Networks (VPN),” CISA and the FBI said.

To see if their actions were discovered, the group was seen searching Slack, Microsoft Teams and Microsoft Exchange online for emails or conversations indicating whether the intrusion had been discovered.

The advisory states that Scattered Spider hackers “frequently participate in incident resolution and response calls and conference calls, potentially identifying how security teams are tracking them and proactively developing new intrusion pathways in response.” to the defense of victims.

This is sometimes achieved by creating new identities in the environment and is often supported by fake social media profiles to support the newly created identities,” they explained.

HAS Washington Post live In September, Deputy Attorney General Lisa Monaco spoke at length about the phenomenon of relatively young people joining hacking groups like Scattered Spider, Lapsus$ and others – warning that more needed to be done to counter the trend.

“This phenomenon of juvenile hacking is not unlike what we have seen in the terrorist landscape, individuals radicalized online,” she said. “And how can we, as the federal government, as a federal national security enterprise, solve this problem?” How can we help our state and local partners solve this problem? »

The group first made a name for itself with several high-profile attacks, including one against Coinbase in February. A report Cybersecurity firm Group-IB said a recent phishing campaign by the group resulted in the compromise of 9,931 accounts from over 136 organizations, including Riot games And Reddit.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Leave a comment