Spider web

CISA, FBI warn of Scattered Spider expertise with social engineering, SIM swapping

The leading cybersecurity officials in the U.S. published a stark warning on Thursday about a group of hackers who have disrupted some of the largest companies in the country through social engineering and other tactics.

The hacking group Scattered Spider — also known by a variety of other names including Starfraud, UNC3944, Scatter Swine, and Muddled Libra — has drawn headlines in recent months for alleged attacks on casino giants MGM Resorts and Caesars Entertainment.

In an advisory and press roundtable on Thursday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) added to the research done by cybersecurity experts on how the group operates.

Senior FBI officials were tightlipped about whether rumors that Scattered Spider had members in the U.S. and U.K. were accurate and declined to say how many victims of the group have come forward.

But FBI officials made oblique references to several recent law enforcement operations targeting hacking groups in recent months and said the FBI is involved in an “ongoing investigation” into the group and cannot speak on any potential arrests.

“If you look at some of the things that we've been doing over the last year, from Hive, to Genesis Market, to BreachForums and the arrest that we had, then to Quakbot, just because you don't see actions being taken, it doesn't mean that there aren't actions that are being taken,” the senior FBI officials said. “So there's a lot of things that we do behind the scenes.”

On the call and in the advisory, the FBI and CISA backed previous reports that said Scattered Spider has become an expert at manipulating employees to hand over sensitive credentials or account access by posing as help desk workers and IT officials.

The group uses a variety of tactics — including phishing, push bombing, and SIM swap attacks — to gain entry before exfiltrating data. In recent months the group has also deployed the AlphV/Black Cat ransomware during attacks.

Officials said the advisory and roundtable are part of an effort by the U.S. government to “increase pressure” on ransomware gangs. They also urged more victims to come forward, explaining that the more information they are able to collect, the more likely they are to catch mistakes by the group and potentially stop them in the future.

The FBI official noted that after the operation to take down the infrastructure of the Hive ransomware gang, they discovered that only about 20% of the group’s victims ever came forward, illustrating the profound lack of information the government has about the depth of the ransomware issue.

The advisory — which was compiled from FBI investigations as recently as this month — says Scattered Spider has launched several attacks on the commercial facilities sectors and subsectors.

“Scattered Spider is a cybercriminal group that targets large companies and their contracted information technology (IT) help desks,” they wrote.

“Scattered Spider threat actors are considered experts in social engineering and use multiple social engineering techniques, especially phishing, push bombing, and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).”

Members of the group have been able to convince employees of victim companies to run commercial remote access tools or share one-time passwords .

In other cases, they have sent multiple notifications asking employees to simply press the “Accept” button or convinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card they controlled.

In several instances, the hackers have exfiltrated data and threatened to release it without ever deploying ransomware.

“Once persistence is established on a target network, Scattered Spider threat actors often perform discovery, specifically searching for SharePoint sites, credential storage documentation, VMware vCenter infrastructure, backups, and instructions for setting up/logging into Virtual Private Networks (VPN),” CISA and the FBI said.

To see if their actions have been discovered, the group has been seen searching Slack, Microsoft Teams, and Microsoft Exchange online for emails or conversations about whether the intrusion has been uncovered.

The advisory says Scattered Spider hackers “frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses.”

This is sometimes achieved by creating new identities in the environment and is often upheld with fake social media profiles to backstop newly created identities,” they explained.

At a Washington Post Live event in September, Deputy Attorney General Lisa Monaco spoke at length about the phenomenon of relatively young people joining hacking groups like Scattered Spider, Lapsus$ and others — warning that more needs to be done to counter the trend.

“This juvenile hacking phenomenon is not unlike what we saw in the terrorism landscape, individuals radicalized online,” she said. “And how do we as a federal government, as a federal national security enterprise address that? How do we help our state and local partners address that?”

The group initially made a name for itself with several high-profile attacks, including one on Coinbase in February. A report from cybersecurity company Group-IB said a recent phishing campaign by the group resulted in 9,931 accounts from more than 136 organizations being compromised — including Riot Games and Reddit.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.