© Reuters. An exterior view of the MGM Grand Hotel and Casino, after MGM Resorts shut down some computer systems due to a cyber attack in Las Vegas, Nevada, U.S., September 13, 2023. REUTERS/Bridget Bennett/File Photo
By Zeba Siddiqui, Christopher Bing and Raphael Satter
SAN FRANCISCO/WASHINGTON (Reuters) – The U.S. Federal Bureau of Investigation (FBI) has struggled to stop a hyper-aggressive cybercrime gang that has tormented U.S. businesses over the past two years, according to nine cybersecurity experts , digital crime experts and victims.
For more than six months, the FBI has known the identities of at least a dozen members linked to the hacking group responsible for the devastating September break-ins at casino operators MGM Resorts (NYSE:) International and Caesars (NASDAQ:) Entertainment, according to four people familiar with the investigation.
Industry executives told Reuters they were baffled by the apparent lack of arrests, despite many of the hackers being based in the United States.
“I wish someone would explain it to me,” said Michael Sentonas, president of CrowdStrike (NASDAQ:), one of the companies leading the hack response efforts.
“For such a small group, they are absolutely causing havoc,” Sentonas told Reuters in an interview last month.
Sentonas said the hackers were “known” but did not provide details. He said: “I think there is a failure here. » When asked who was responsible for this failure, Sentonas replied: “law enforcement.”
The FBI said it was investigating the gaming company’s hacks, but an agency spokesperson declined to comment on the group responsible or the status of the investigation. A Justice Department spokesperson also declined to comment.
Nicknamed “Scattered Spider” by some security professionals, the hacker group has been active since 2021 but hit the headlines following a series of intrusions into several prominent American companies.
MGM’s breach disrupted operations at its casinos and hotels for days and cost the company about $100 million in damages, it said in a regulatory filing last month. Caesars paid about $15 million in ransom to regain access to its systems from the hackers, according to a Wall Street Journal report.
Neither company responded to a request for comment.
CrowdStrike, Alphabet’s Mandiant (NASDAQ:), Palo Alto Networks (NASDAQ:) and Microsoft (NASDAQ:) are among the leading US cybersecurity companies responding to hacker breaches by private companies. Some have collected evidence that helps determine the hackers’ identities and are helping law enforcement, according to the five insiders.
The sources say that after the casino hacks in September, the FBI investigation took on new urgency. FBI officials began looking into the hacker operations more than a year ago.
Security analysts tracking breaches have discovered a wide range of victims across almost every industry, from telecommunications and outsourcing companies to healthcare and financial services companies.
In total, about 230 organizations have been affected since the start of last year, according to a tally by Baltimore, Maryland-based cybersecurity firm ZeroFox, which helped Caesars contain the fallout.
ZeroFox chief executive James Foster attributed the slow response from law enforcement to a lack of manpower. In recent years, numerous news reports have suggested that the bureau is losing many of its top cyber agents to the private sector, which offers them higher salaries.
“Law enforcement, especially at the federal level, has all the tools and resources they need to successfully track down cybercriminals,” Foster said. “They just don’t have enough people.”
Another challenge has been the reluctance of many victims to cooperate with the FBI. One of the sources, an executive involved in hacker defense who declined to be named, citing client confidentiality, said “several” victim companies never informed the office that they were compromised – meaning prosecutors lost the chance to acquire potentially important evidence.
This instinct to conceal an intrusion is not unusual, a former FBI official who requested anonymity and previously worked on ransomware investigations told Reuters.
“What I encountered working on ransomware is that nine times out of ten the company didn’t want to cooperate,” the former executive said.
A third challenge lies in the fuzzy nature of the group, made up of small groups of individuals who collaborate on specific tasks from time to time. The gang’s obscure structure helped earn it the nickname “Scattered,” as well as another industry nickname, “Muddled Libra,” among researchers.
For example, the team behind the casino’s work is called “Star Fraud,” according to two analysts. He is part of a larger hacker collective composed mainly of young cybercriminals who use the name “The Com” as slang for their community.
Most of the group’s members are based in Western countries, including the United States, cybersecurity companies say. They usually discuss hacking projects in shared chat channels on social messaging apps, including Telegram and Discord, which are popular with gamers.
A Telegram spokesperson did not respond to a request for comment on the hacks. A Discord spokesperson declined to comment on the reports, but said the platform prohibits illegal activities and takes action, including banning or shutting down groups or users who engage in such practices.
Historically, the group’s amorphous form has made it difficult for the FBI to coordinate internally among its many field offices across the country, three people familiar with the matter said. For months, many field offices independently investigated individual hacks launched by the same group but were not immediately aware of their connection, delaying the process.
Recently, the FBI field office in Newark, New Jersey, conducted an investigation into the hacking group and is making progress, according to these three people, who did not provide details. They added that a new special agent had been assigned to the case.
Meanwhile, in recent months, alarming details of The Com’s aggressive tactics have been made public. Its members are involved in a range of illicit schemes, from sextortion and ransomware to phone scams and paying people to commit physical violence – also known as “violence as service”.
In a report released by Microsoft late last month, the technology company cited hackers linked to Scattered Spider who threatened to kill employees of a victim organization unless they coughed up their passwords.
“If we don’t receive your…connection within the next 20 minutes we will send a shooter to your house (sic),” one of the messages read. Another followed by saying: “Your wife is going to get shot if you don’t bend her.”
Attempts by Reuters to contact the hackers for this story were unsuccessful.
“I think they’re pathological,” Kevin Mandia, Mandiant’s founder, said in a September interview. “We have seen how they interact with victim companies. They are ruthless.”
Mandia did not respond directly when asked if law enforcement knew Scattered Spider’s identity. But he said there was no excuse for not stopping hackers operating from the West.
“If they are in democratized countries that work with the international community, you have to catch them,” he said.
(This story has been refiled to remove repetition of paragraph 8)