MGM Resorts hackers 'one of the most dangerous financial criminal groups’

The hackers behind the ransomware attack that crippled operations at MGM Resorts are “one of the most dangerous financial criminal groups” currently operating, researchers at Microsoft said Wednesday.

In a blog, the researchers explained the tactics used by Octo Tempest, a group also known as Scattered Spider, 0ktapus or UNC3944.

The group has been in the limelight since its attack on MGM Resorts left parts of Las Vegas paralyzed for days and cost the casino giant an estimated $100 million. The situation became so dire that federal authorities and the White House became involved in the recovery effort.

Microsoft echoed the findings of other researchers, outlining how Octo Tempest has evolved from prolific attackers using social engineering and SIM swapping to now deploying the AlphV/Black Cat ransomware.

The researchers also documented the group’s cruelty during their attacks. The hackers sent threatening text messages to employees of an unnamed company, claiming they would share information that could get an employee fired. They also said they would send someone to the person’s house with a gun. In other messages, the hackers threatened to send shooters that would attack the employee and their wife.

“In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts. These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access,” Microsoft explained.

ALPHV union

As native English speakers, the group’s ability to deploy adversary-in-the-middle (AiTM) techniques, social engineering, and SIM-swapping tactics separates it from many other hacker gangs.

Microsoft said the group was initially seen in early 2022 attacking mobile telecommunications and business process outsourcing organizations to initiate SIM swaps.

They were able to monetize these attacks by selling their SIM swaps to other hackers and launching account takeover attacks targeting wealthy cryptocurrency owners.

“In late 2022 to early 2023, Octo Tempest expanded their targeting to include cable telecommunications, email, and technology organizations,” Microsoft said.

“During this period, Octo Tempest started monetizing intrusions by extorting victim organizations for data stolen during their intrusion operations and in some cases even resorting to physical threats.”

By the middle of this year, the group had become an affiliate of the ALPHV/Black Cat ransomware gang, which has been responsible for some of the most devastating attacks on record.

Initially, Octo Tempest did not use the ALPHV ransomware during attacks, only extorting victims through data that was stolen and posted to the ALPHV leak site, but in June it first began deploying it.

According to Microsoft, the union between Octo Tempest and ALPHV was a first because Eastern European ransomware gangs typically refuse to do business with English-speaking cybercriminals.

The industries they target have also expanded, now including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services.

Help desk scams

Part of the group’s success revolves around attacks that organizations do not typically plan for, according to Microsoft.

“The well-organized, prolific nature of Octo Tempest’s attacks is indicative of extensive technical depth and multiple hands-on-keyboard operators,” the researchers said.

“Octo Tempest commonly launches social engineering attacks targeting technical administrators, such as support and help desk personnel, who have permissions that could enable the threat actor to gain initial access to accounts.”

The hackers research the organizations they attack and identify prime targets that can be impersonated in phone calls to IT help desks.

Using personal information, they are able to resemble employees and convince administrators to reset passwords or multifactor authentication (MFA) methods.

In some cases, the hackers have purported to be new employees, blending into the onboarding process.

According to Microsoft, the group gains its initial access through several methods:

• Social Engineering: They call an employee pretending to be a fake IT worker and have them install remote monitoring and management tools. From there, they have an employee enter credentials into a fake login portal
• Help desk scams: They call an organization’s help desk and have IT workers reset an employee’s password or change a multi-factor authentication token/factor
• Credential purchase: They simply purchase an employee’s credentials on underground markets
• Text: They send employees a SMS phishing link with a fake login portal
• SIM Swapping: By taking over an employee’s phone number, they can initiate a password reset and change it to whatever the hackers want.

The group has been seen conducting extensive research on victims before advancing attacks, enumerating networks so that once access is gained they can quickly export important data and user information.

“Octo Tempest employs an advanced social engineering strategy for privilege escalation, harnessing stolen password policy procedures, bulk downloads of user, group, and role exports, and their familiarity with the target organizations procedures,” they said.

“The actor’s privilege escalation tactics often rely on building trust through various means, such as leveraging possession of compromised accounts and demonstrating an understanding of the organization’s procedures. In some cases, they go as far as bypassing password reset procedures by using a compromised manager’s account to approve their requests.”

Microsoft observed instances where the hackers turn off security products after compromising the accounts of security personnel.

They have even changed security staff mailbox rules “to automatically delete emails from vendors that may raise the target’s suspicion of their activities.”

Octo Tempest typically keeps control of its access to victim networks by exploiting login tools like AADInternals and Okta.

The gang has used a variety of methods to monetize its attacks, including but not limited to stealing cryptocurrency, selling stolen data, extorting victims and using ransomware.

Microsoft’s report adds to a body of research on the group since its attack on MGM Resorts caused significant issues for multiple hotels across Las Vegas.

In a report last month, security experts at cybersecurity firm and Google subsidiary Mandiant spotlighted the group’s evolution from relatively aimless — yet high-profile — data theft incidents on major tech firms to sophisticated ransomware attacks on a wide range of industries.

It initially made a name for itself with several high-profile attacks, including one on Coinbase in February.

A report from cybersecurity company Group-IB said a recent phishing campaign by the group resulted in nearly 10,000 accounts from more than 136 organizations being compromised — including Riot Games and Reddit.