Scattered Spider: Difference between revisions

It has been suggested that 2023 MGM IT attack be merged into this article. (Discuss) Proposed since September 2023.

Scattered Spider, also referred to as UNC3944 Scatter Swine and Muddled Libra,^[1] is a hacking group mostly made up of individuals aged 19 to 22 as of September 2023. The group, whose name was first tagged by cybersecurity researchers, gained notoriety for hacking Caesars Entertainment and MGM Resorts International, two of the largest casino and gambling companies in the United States. Scattered Spider is predicted to be primarily made up of operatives based in both the US and the United Kingdom.^[2][3]

Scattered Spider is predicted to be founded in May 2022, where its early attacks were made out on telecommunications firms. The group engaged in the SIM swap scam, Multi-factor authentication fatigue, and phishing by SMS and Telegram.^[1] Their activities prior to their casino cyberattacks were noted for further exploiting the security bug CVE-2015-2291, a cybersecurity issue in Windows' anti-DoS software^[4], to terminate security software, allowing the group to evade detection. The group is further noted for having a deep understanding of Microsoft Azure, and is also able to conduct reconnaissance in cloud computing platforms powered by Google Workspace and AWS, and has used legitimately-developed remote-access tools.^[1]

The group later became known for targeting critical infrastructure prior to moving on to its 2023 casino hacks.^[5]

Scattered Spider gained access to both Caesars' and MGM's internal systems through the use of social engineering. Upon the announcement of both companies' attacks, the stock prices for both MGM and Caesars dropped. The group was able to bypass multi-factor authentication technologies by attaining login credentials and one-time passwords.^[6][7]

Scattered Spider collaborated with ALPHV, a software development team which provides ransomware as a service. Scattered Spider called MGM's help desk posing as an employee it found on LinkedIn to gain internal access. The group gained access on September 11, 2023.^[6]

MGM Resorts first disclosed the cyberattack on September 12, 2023, in a regulatory filing. The company stated that though it has "dealt" with the cyberattack, many of the computer systems at its resorts remain offline, which include but are not limited to credits for food, beverages, and free credits. The attack further disabled on-site ATMs as well as remote room keys, and prevented MGM from charging patrons for parking.^[7]

MGM and the US FBI are presently investigating the cyberattack, and the casino operator has taken down it's website.^[3] Moody's Corporation has stated that due to MGM's heavy reliance on computers for much of its operations, it's credit rating could go down as a result of the cyberattack.^[5]

Caesars Entertainment paid a ransom of $15 million to Scattered Spider, half their original demand of $30 million. Scattered Spider, using similar tactics to its attack on MGM, was able to access driver's license numbers and possibly Social Security numbers, for a "significant number" of Caesars customers.^[2][8]

Statements made by Caesars noted that while the company cannot guarantee the deletion of the information attained by Scattered Spider, the casino operator will take all necessary actions to attain such result.^[2]