Finally some good news about Scattered Spider, this gang of cybercriminals active since spring 2022? The Spanish press has just announced the arrest of an Englishman presented as one of the leaders of this informal group of computer hackers. The 22-year-old was preparing to fly to Italy when he was arrested in Palma de Mallorca, in the Balearic archipelago.
This arrest follows a first arrest in January 2024 in connection with this gang, according to specialist journalist Brian Krebs, that of a 19-year-old American in Florida. “These arrests demonstrate that efforts are being made by the FBI” against this group “dazzling who acquired a certain weight in a very short time”greets Nicolas Arpagian, vice-president of HeadMind Partners.
It was about time, because Scattered Spider has become a real challenge for the American Federal Bureau of Investigation, forcing it to innovate in its methods. “I don’t know if I could answer that it will be possible to dismantle them.” one day, one of its executives, Brett Leatherman, even told The Record at the beginning of May. This admission of impotence by the FBI, criticized for its lack of results, should be put into perspective with the vague contours of this cybercriminal organization.
Two resounding attacks
Compared to a street gang in a big city, Scattered Spider would in fact bring together young cybercriminals from the United States and the United Kingdom. Also called UNC3944 by computer security experts, Oktapus, Octo Tempest, Scatter Swine or even Muddled Libra, these hackers have distinguished themselves in hacks with worldwide impact, such as those which affected the casinos of the MGM group and Caesars Entertainment in September 2023. .
So many varied acronyms which mask a fairly loose structure, a classic of cybercrime. The cybersecurity company Sekoia, which tracks the gang’s activity through its phishing pages, distinguishes, for example, two groups of actors at Scattered Spider, those focused on the simplest tasks, such as creating a phishing page or sending SMS, “and very skilled cybercriminals, who know very well how to hijack computer systems”, notes a company analyst. As Google subsidiary Cloud Mandiant points out in a recent report, the group targets SaaS applications and the vSphere and Azure clouds in particular.
But whatever their name, these pirates find their roots in a nebula called “The Comm”, also spelled with a single “m”. A veritable school of cybercrime, where racism sometimes coexists with misogyny, which is coordinated on the social network Discord and instant messaging Telegram. According to the FBI, the cybercriminals who gravitate in these circles have distinguished themselves in particular by cases of swatting, these false reports of crimes intended to provoke police intervention by units such as Raid or GIGN.
The shadow of Lapsus$
They are also active in sim-swapping, these hijackings of telephone lines for the purposes of theft, precisely one of the trademarks of Scattered Spider. The breeding ground of “The Comm” has thus allowed the emergence of several groups of malicious pirates, notes SentinelOne. The IT security company cites, for example, the Lapsus$ group, these hackers who sought both to break the bank but also to gain notoriety.
If this nebula, which has become one of the FBI’s main cyber targets, is so worrying, it is because these cybercriminals have managed to build a bridge with groups specializing in ransomware like ALPHV/BlackCat. This type of criminal group usually works “almost exclusively with Russian-speaking malicious actors”recalls the Sekoia analyst.
Profitable alliance
This “slightly strange alliance”, in his words, nevertheless proved visibly very lucrative. Scattered Spider gains additional leverage on its victims with the deployment of ransomware, beyond data exfiltration. While the gang behind the malicious program gains more juicy targets, located mainly in North America.
If Sekoia has spotted phishing pages targeting French telecoms companies, the Paris prosecutor’s office does not have any ongoing investigations in its portfolio against these cybercriminals. In an infographic, the company Crowdstrike reported victims in France, but without giving further details.
Regardless, their modus operandi is well documented today. “They know exactly who they want to target in the target companies, such as administrators or systems engineers”, notes the Sekoia analyst. After phishing campaigns revolving for example around the cancellation of leave or a meeting, which allow initial access, cybercriminals then switch to sim-swapping, to update a password or the token of ‘authentication.
“They are also active exploiters of vulnerabilities, having previously documented the flaws of major platforms”, also notes Nicolas Arpagian. So many malicious techniques which allowed them to cause real financial disasters. The computer attack on MGM cost the company approximately $100 million, while the attack on Caesar ultimately resulted in the payment of a $15 million ransom. Heavy additions which could however now turn against the young man arrested in Spain. According to the police, the suspect saw the equivalent of $27 million pass through his crypto accounts.
Selected for you
